Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

US-CERT Says Microsoft's Advice On Downadup Worm Bogus

samzenpus posted more than 5 years ago | from the protect-yourself-at-all-times dept.

Security 290

CWmike writes "Microsoft's advice on disabling Windows' 'Autorun' feature is flawed, the US Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack. US-CERT said in an alert that Microsoft's instructions on turning off Autorun are 'not fully effective' and 'could be considered a vulnerability.' The flaw in Microsoft's guidelines are important at the moment, because the 'Downadup' worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features."

cancel ×

290 comments

Sorry! There are no comments related to the filter you selected.

I'm a linux what's a worm? (-1, Troll)

drpt (1257416) | more than 5 years ago | (#26555531)

I thought worms only lived in the dirt and my dogs ass

Re:I'm a linux what's a worm? (4, Informative)

idiotwithastick (1036612) | more than 5 years ago | (#26555569)

Wikipedia [wikipedia.org] says that the first worm spread through BSD UNIX. (1988):

November 2: The Morris worm, created by Robert Tappan Morris, infects DEC VAX and Sun machines running BSD UNIX connected to the Internet, and becomes the first worm to spread extensively "in the wild", and one of the first well-known programs exploiting buffer overrun vulnerabilities.

Re:I'm a linux what's a worm? (0, Flamebait)

Foofoobar (318279) | more than 5 years ago | (#26555663)

And you neglect to point out that it did nothing and that UNIX systems were the first to learn how to protect against worms as a result. But did Mcrosoft choose to learn from the lessons of it's predecessors? No. It chose to ignore successful security methodologies in order to allow open communications between all software systems, api's and the user. The system was designed to be open by default... not secure. Security was ALWAYS an afterthought.

Re: what's a worm? (5, Informative)

http (589131) | more than 5 years ago | (#26555965)

Did nothing?? What planet were you on?
The machine took out more than a lot of mail servers, bringing them to a grinding halt for the duration.

Re: what's a worm? (3, Informative)

Anonymous Coward | more than 5 years ago | (#26556219)

Perhaps it's more accurate to say that the Morris Worm did not carry a destructive payload. It's true that it brought down more than a few servers, but that was only because it spread so rampantly without -- as with many modern worms -- any kind of rate-limiting logic.

Re: what's a worm? (1)

http (589131) | more than 5 years ago | (#26556359)

How true. IIRC, it was meant to gather information, not destroy it. I also recall that rate-limiting logic was present, but with such bad numerical assumptions as to be bogus.

Re:I'm a linux what's a worm? (1)

cheater512 (783349) | more than 5 years ago | (#26556125)

It was a afterthought?

I swear in many places it wasnt a thought at all.

Re:I'm a linux what's a worm? (3)

v1 (525388) | more than 5 years ago | (#26556271)

The system was designed to be open by default... not secure. Security was ALWAYS an afterthought.

I don't think I'd say it was an afterthought, that implies they believed it was important to address, once discovered late.

The closer reality seems to be that they acknowledged the issue and determined it made a better feature than vulnerability.

Like the windows autorun on media insert that's making Downadup so successful as of lately. Amazing they STILL haven't axed that. This isn't a case of them being late with a fix, this is a case of them refusing to fix it.

Re:I'm a linux what's a worm? (1)

gandhi_2 (1108023) | more than 5 years ago | (#26556277)

Nice. You just said Microsoft designs with openness in mind.

Re:I'm a linux what's a worm? (1)

novakyu (636495) | more than 5 years ago | (#26556473)

... that UNIX systems were the first to learn how to protect against worms as a result.

Interesting.

Do you know when they became self-aware and launched biological viruses after (or was it before) learning to protect against man-made worms?

Re:I'm a linux what's a worm? (5, Funny)

KozmoKramer (1117173) | more than 5 years ago | (#26556183)

Thanks for pulling up that Gem from 20 + years ago. You and my wife must be related!

Re:I'm a linux what's a worm? (4, Funny)

Anonymous Coward | more than 5 years ago | (#26555717)

There's a new sound, the newest sound around
The strangest sound that you have ever heard
Not like a wild boar or a jungle lion's roar
It isn't like the cry of any bird
But there's a new sound, it's deep down in the ground
And everyone who listens to it squirms
Because this new, new sound so deep under the ground
Is the sound that's made by worms

Re:I'm a linux what's a worm? (1)

Frosty Piss (770223) | more than 5 years ago | (#26556333)

I thought worms only lived in the dirt and my dogs ass

I've never heard Windows described quite that way.

News? (1, Funny)

Anonymous Coward | more than 5 years ago | (#26555539)

Why is this considered news? Microsoft's security recommendations have never been taken seriously. We're supposed to still not take them seriously? Ok. But not news, as, obviously, this is nothing new. Obviously.

Re:News? (4, Interesting)

cbiltcliffe (186293) | more than 5 years ago | (#26555571)

Sometimes they come out with something good....I think.

But they've always been completely screwed up on anything whatsoever to do with autorun.

It was a bad idea from the start, and it's just managed to get worse.

Re:News? (0)

idiotwithastick (1036612) | more than 5 years ago | (#26555651)

Just managed to get worse? That's ignoring things like the Sony rootkit fiasco, right?

Re:News? (1)

cbiltcliffe (186293) | more than 5 years ago | (#26555687)

I don't mean "just now managed to get worse with this attack."

I mean "only got worse and worse - never better - through the entire time since it was introduced."

Re:News? (1)

EvanED (569694) | more than 5 years ago | (#26556121)

The idea wasn't well thought out from the beginning, but I do think Vista improves it substantially, because by default it won't autorun media that has autorun information, at least AFAIK. Instead, it brings up the same sort of autorun dialog that you get when plugging most USB drives into XP, it's just that one of the options is to run the program that the media specifies.

Personally, I think this is a great point on the convenience/security spectrum, because I always did appreciate the convenience of autorun, but have had a hard time leaving it on because of the security issues.

(Of course, knowing MS, they probably managed to screw things up so that you can still just plain autorun even in Vista...)

Windows itself is a vulnerability. (-1, Troll)

The Cisco Kid (31490) | more than 5 years ago | (#26555579)

Anyone that willingly continues to use it for anything except as a non-Internet connected game machine deserves whatever they get.

Re:Windows itself is a vulnerability. (1)

idiotwithastick (1036612) | more than 5 years ago | (#26555617)

Actually, I believe Windows Vista fixed this vulnerability. To bad MS did such a poor job with UAC that a lot of people might end up catching this virus anyways.

Re:Windows itself is a vulnerability. (0)

Anonymous Coward | more than 5 years ago | (#26555697)

Yo! O.P. shut up you stupid mouth. I like infectig lameos. Stands now every lameo use MS Windows. Big ass of target. Cant miss such big ass. Hit something every time!

Re:Windows itself is a vulnerability. (2, Insightful)

Tenebrousedge (1226584) | more than 5 years ago | (#26555839)

Vista is the most secure windows OS, probably. "most secure" != "secure".

This worm is evidence that they still have a long way to go.

Re:Windows itself is a vulnerability. (2, Insightful)

betterunixthanunix (980855) | more than 5 years ago | (#26555643)

Except that this worm spreads through usb devices and is inherently not-Internet oriented. The only really safe way to use Windows is to constantly reimage your computer or to run in a virtual machine that can be reimaged every time it runs. Within 2 years, it will be feasible to run games in a VM on typical desktop hardware (once IOMMUs are common).

Re:Windows itself is a vulnerability. (5, Insightful)

hairyfeet (841228) | more than 5 years ago | (#26555937)

Or you could, oh I don't know, not let morons near your computer? I'm typing this on a Win2K pro machine that has been hooked to the net and running non stop for almost 9 years. In that time I have gotten zero, zip, nada, squat on the virus front. Why? Because I don't let morons on this machine, that's why.

As a PC repairman I have noticed the PEBKAC problems with Windows can nearly always be traced to one of three types. One, the "anything my friend (insert name of girlfriend) sends me has to be okay." Those can usually be dealt with by installing a decent AV and having them use webmail instead of OE. Two, the "I will click on anything that'll get me teh hot lesbos!" guy. You can usually cut down on his rate of pwnage by giving a copy of Firefox loaded with bookmarks for places like Youporn and Redtube. And three, the "I click on everything I loads off the Kazaa!" types. These are usually dumbass teenagers looking for the latest horrible pop drivel and instead clicking on "lousy_tune.mp3.exe" thinking it is their pop drivel. Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick.

The point is blaming Windows for morons is like blaming the SUV manufacturers when some woman plows through a family of five because she ran a redlight while playing with her cell phone. Stupid people will find a way to break stuff, hence why we call them stupid. If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an .exe. It all comes back to the dancing bunny [codinghorror.com] problem. The best we tech guys can do is educate where we can, and take steps like the ones listed above to minimize the damage they can do. Because I don't care which OS you give them PEBKAC problems will NEVER go away. After all this problem wouldn't exist in the first place if folks had actually bothered applying the patch the MSFT released in OCTOBER. Just further proof that they ain't exactly brain trusts we are talking about here.

Re:Windows itself is a vulnerability. (1)

cheater512 (783349) | more than 5 years ago | (#26556143)

Windows makes it way too easy for morons to do their thing.

Put any of those three types on Linux and lets see how much damage they can do.
In all three, no matter what they do, the core system remains fully intact.

Re:Windows itself is a vulnerability. (4, Insightful)

liquidpele (663430) | more than 5 years ago | (#26556179)

Unless, you know, you're on a modern distro that has sudo capabilities instead of a real root account and will install things when you double click on an rpm/deb file you downloaded. It's not hard to re-enter your password. I think you blissfully ignore the major reason windows is such a virus frenzy: all the stupid users are using it. Imagine if they all came to Linux today, how horrible they would break it. And it's not like you can jump back to a restore point in Ubuntu either.

Re:Windows itself is a vulnerability. (3, Interesting)

betterunixthanunix (980855) | more than 5 years ago | (#26556367)

SELinux goes a long way toward containing viruses, as long as the distro maintains decent default policies. For example, only files from the Mozilla packages should be able to modify ~/.mozilla/ or any files in that directory, and Fedora's SELinux policy puts those files in their own context. A virus attempting to install some sort of keylogger in Firefox is forced to attack through Firefox (or another Mozilla program); compare with malware in Windows, that could attack through specially crafted music file and install a keylogger in IE.

Re:Windows itself is a vulnerability. (5, Informative)

betterunixthanunix (980855) | more than 5 years ago | (#26556251)

"Or you could, oh I don't know, not let morons near your computer?"

Which is just not feasible sometimes. Every few weeks, someone I am working with -- yes, some of us must work with others on our computers -- brings me some files on a thumb drive. I have no choice but to plug that drive into my computer and deal with it, other than not getting my work done at all.

"Putting them in a limited user account and putting a good AV to scan whatever folder they are downloading crap to usually does the trick."

When I used to repair computers, I found that doing this invariably led to questions like, "Why can't I install [insert well known program name here]?" Windows systems really are not oriented toward this sort of security for single users who cannot just call up their helpdesk whenever they need some software installed.

"If you put these types on OSX or Linux they would break just as much as they do on Windows. They would just be loading "Hot_Pron_codec.dmg" or "killer_tune.sh" instead of an .exe."

Except that in OSX and Linux (and BSD and Solaris and all *nix systems) files have to be explicitly declared executable. A user receiving LatestPopSong.mp3.sh would just sit there confused and asking, "Why does it keep opening this song in a text editor? Why does my music player keep getting confused?" In distros that enable SELinux, you can have even more security -- for example, a policy that prevents programs which are not part of Firefox from writing to the Firefox configuration, which would prevent typical virus-installing-keylogger-in-web browser attacks that seem to be so common today; such a policy could be maintained by the distro packagers themselves; in fact, Fedora already gives the .mozilla/ folder a different context. Sure, you can create such a security policy in Windows, but it is not done by default.

Yes, if administered by experts, Windows can remain secure even when connected to the Internet, I will not deny that. Most single user Windows installations are not administered by experts, and unlike big name Linux distros, Microsoft does not have thousands of people tuning the Windows security policies, nor do they have tens of thousands (perhaps hundreds of thousands) of people fixing bugs.

Re:Windows itself is a vulnerability. (1)

Arker (91948) | more than 5 years ago | (#26556391)

Those can usually be dealt with by installing a decent AV and having them use webmail instead of OE.

Any tips on how to get these people to accept the switch though? I'm trying my hardest with a guy I work with, he just cant seem to handle the transition. I got him a gmail account, set it up to retrieve his other accounts mail, explained the benefits (considerable, considering he pays way too much for metred internet access and is constantly receiving large attachments he usually doesnt need to open but Outhouse downloads them anyway... which really hits him in the wallet, not to mention that he works on multiple machines and is constantly needing an email downloaded on the other machine and gone from the server.) He understands all this, wants the better system, but still somehow just cant handle changing interfaces :( he knows how to do his work in Outhouse and becomes paralysed like a deer in the headlights looking at gmail. It's horribly sad, but I just dont know how to help him anymore, every idea I've tried comes to nothing.

Re:Windows itself is a vulnerability. (0, Troll)

MegaFur (79453) | more than 5 years ago | (#26556395)

You seem angry. It makes your post read as non-smart.

Hmmm... (-1, Troll)

jaavaaguru (261551) | more than 5 years ago | (#26555641)

Microsoft supplied the software that allows people's computers to become infected, then gave them false information leading them to believe they're safe, when they're not really.

Suspicious...

Re:Hmmm... (2, Funny)

Timothy Brownawell (627747) | more than 5 years ago | (#26555851)

Microsoft supplied the software that allows people's computers to become infected, then gave them false information leading them to believe they're safe, when they're not really.

Suspicious...

Yeah, it's almost like they value convenience over security (having autorun), and don't know how to write perfect bug-free software like the space shuttle people do (look at the "Update:" at the end of the advisory, the fix instructions should have worked, but they don't without a patch).

Re:Hmmm... (4, Insightful)

toleraen (831634) | more than 5 years ago | (#26555885)

Except Microsoft didn't. According to TFA:

Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector.

The "recommendation" referred to is almost two years old [microsoft.com] and has nothing to do with the worm. Article is a troll pretty much. One support article is for disabling Autorun on CD-ROMs, while the other is for Autoplay. Neither was created specifically to support Downadup as far as I can tell.

So no, not really suspicious at all. Bad on the "researchers" who have pointed to those articles for protection.

Re:Hmmm... (4, Interesting)

lysergic.acid (845423) | more than 5 years ago | (#26556223)

um, what are you talking about? if there is a worm going around that exploits the AutoRun, then naturally the thing to do would be to disable AutoRun. so why is it bad on the researchers for advising people to disable a feature that makes their system more vulnerable to an ongoing security threat. and how is US-CERT or ComputerWorld "trolling" by pointing out that Microsoft's instructions for "disabling AutoRun" doesn't actually disable AutoRun?

Microsoft is the one who created a feature that is now an active malware infection vector. they are the ones who set this feature to be enabled by default. and they are the ones who made it near impossible to turn off (without downloading additional software). and to make things worse, they release inaccurate advice on how to "disable" this feature, which could potentially lull users into a false sense of security.

Re:Hmmm... (1)

Hordeking (1237940) | more than 5 years ago | (#26556415)

The "recommendation" referred to is almost two years old [microsoft.com] and has nothing to do with the worm. Article is a troll pretty much. One support article is for disabling Autorun on CD-ROMs, while the other is for Autoplay. Neither was created specifically to support Downadup as far as I can tell.

Ironically, I saw this one coming in 1998 when I first installed windows 95. I made sure to disable Autorun as soon as I figured out how to work the registry.

Even More Suspicious (0)

Anonymous Coward | more than 5 years ago | (#26556245)

Even more suspicious is that this bulletin suggests there is a security flaw in the world's most secure OS, Vista. Clearly, the boys at CERT are on crack.

Non-Windows User Here (5, Insightful)

John Hasler (414242) | more than 5 years ago | (#26555715)

Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.

Re:Non-Windows User Here (1)

Ilgaz (86384) | more than 5 years ago | (#26555733)

Aren't you shocked that Autorun on USB class device (key) is enabled by default?

Re:Non-Windows User Here (3, Informative)

cdrguru (88047) | more than 5 years ago | (#26556255)

I would be, if it was true. It isn't. Autoplay, something completely different that was introduced in XP is there for USB devices but not Autorun. Autoplay requires user interaction to do anything, which is why the whole folder icon fooling people is a big deal.

If I get you to click on a link that says you get $1000 for clicking on the link but it really installs software (requiring more clicks to approve) and you do it anyway - and keep confirming it, over and over, I'd say it is your own fault.

Re:Non-Windows User Here (1)

Neoprofin (871029) | more than 5 years ago | (#26555737)

To default turn it off you might have to. You can just hold shift and disable it temporary when you plug something in until the detection is finished.

Re:Non-Windows User Here (2, Informative)

99BottlesOfBeerInMyF (813746) | more than 5 years ago | (#26555845)

To default turn it off you might have to. You can just hold shift and disable it temporary when you plug something in until the detection is finished.

Except it can still autorun in response to other events than plugging it in, like single clicking the drive or some applications that look for devices periodically.

Re:Non-Windows User Here (0)

Anonymous Coward | more than 5 years ago | (#26556225)

Sure, sure. And how long do you need to hold down shift for, exactly, it's not like there's any feedback. Until you've held down shift for eight seconds anyway. Then an accessibility options window pops up about filterkeys, and if you cancel it, windows usually acts like the shift key is stuck down, blah blah blah. As someone else pointed out, there are all kinds of other events that can trigger it. Plus you only need to forget to do it one time.

Re:Non-Windows User Here (0)

Anonymous Coward | more than 5 years ago | (#26556375)

Which is why the (albeit somewhat) savvy windows user will have a small army of os-crippling-ware
to disable the many non-essential yet critically vulnerable windows easter eggs and services.

After all, if you're trying to run windows out of the box in 2009, you are functionally illiterate.
I suppose the repeated blows to the face don't deter boxers, either. To each his own.

PS: my captcha is "helpless"

Re:Non-Windows User Here (4, Informative)

syousef (465911) | more than 5 years ago | (#26555787)

Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.
No it's not true. There are lots of ways to do it. The registry editor is just installed by default and pretty simple if you already know how to use it. TweakUI is a free addon Microsoft Powertoy that's worth having and gives you some control back.

http://www.annoyances.org/exec/show/article03-018 [annoyances.org]
http://antivirus.about.com/od/securitytips/ht/autorun.htm [about.com]

Re:Non-Windows User Here (1)

arminw (717974) | more than 5 years ago | (#26556241)

... and pretty simple if you already know how to use it....

Brain surgery and rocket science are also easy if you already know how to do these. To those that don't have the ability, the time, nor the desire to go to the trouble of learning the arcane art of registry editing, the best thing to do is to choose an OS that doesn't have a registry and is not subject to any of the nearly 100,000 instances of malware made specifically for hapless Windows users. There is little or nothing that the intelligent users of these alternatives to Windows cannot do, that the millions of Winsheep are able. For games, there are dedicated devices that are cheaper and better.

Re:Non-Windows User Here (4, Interesting)

syousef (465911) | more than 5 years ago | (#26556387)

Brain surgery and rocket science are also easy if you already know how to do these

Let me get this straight. You're comparing opening up regedit, browsing through a tree of values, and modifying one with brain surgery and rocket science??? You call it "the art of registry editing". I could teach any even semi-competent person how to use regedit in an hour max assuming nothing more than windows knowledge.

As for the abomination that is the windows registry I agree it's awful and for more than just the reasons you point out, but it's no harder to change a single registry entry than to change an ini file field value. I wouldn't compare the use of notepad to edit an ini file to brain surgery or rocket science either.

Re:Non-Windows User Here (1)

X0563511 (793323) | more than 5 years ago | (#26556431)

For games, there are dedicated devices that are cheaper and better.

Says the one that hasn't seen a new game on new hardware connected to a very large TV screen... I'm not arguing about cheaper, but don't try to tell me a console is better.

Re:Non-Windows User Here (0)

Anonymous Coward | more than 5 years ago | (#26555793)

There's a control panel applet for autoplay settings.

Re:Non-Windows User Here (2, Informative)

TubeSteak (669689) | more than 5 years ago | (#26556005)

run services.msc OR Ctrl Panel -> Administrative Tools -> Services
stop and disable service: Shell Hardware Detection

No more auto-run or auto-play

Re:Non-Windows User Here (1)

Repton (60818) | more than 5 years ago | (#26556207)

When I set up a Windows XP computer, I use TweakUI [microsoft.com] to disable autorun for all drives and all media types.

I hope that is sufficient...

Would like to see a worm disable Vista's DRM (1, Insightful)

transporter_ii (986545) | more than 5 years ago | (#26555725)

Would like to see a worm disable some of Microsoft's DRM and see how fast they come out with a working patch.

Re:Would like to see a worm disable Vista's DRM (1)

powerspike (729889) | more than 5 years ago | (#26555765)

Wow don't most people just turn off the computer to do that?

What DRM is that? (3, Informative)

Sycraft-fu (314770) | more than 5 years ago | (#26555961)

Seriously, what are you talking about? I see a lot of "Vista's evil DRM," tossed around, and very little in the way of specifics to back up what it does, which of course leads me to think the people doing the talking don't know what they are talking about.

So what DRM do you want to see disabled? Are you talking about HDCP, the DVI encryption? That's not MS's standard, by the way, DVD and Blu-ray players are where that's from. However, it is one of those things that you don't have to use if you don't want to. I have a Vista system connected to a monitor which has HDCP turned off (professional monitor, you can change the state manually). Means if the system required HDCP, I'd get no image. But it works fine. Reason is, HDCP is only required by Blu-ray playback software. Now you could disable it on the system, I suppose, but that'd gain you nothing. The software would just refuse to play. It wasn't as though MS said "Let's include this to fuck people." Rather it is required if you want to license Blu-ray playback.

So again, what DRM are you talking about? I'm tired of all this bitching from people who don't know what they are saying. If there is something in particular you object to, let's here what and why. Otherwise, please stop going on about thing you don't understand.

Re:What DRM is that? (0)

Anonymous Coward | more than 5 years ago | (#26556067)

There is inactive DRM that may or may not be enabled in 2010 (or later). Of course don't let reason convince you, the DRM is totally active! If /. commenters say it, it must be true.

Re:What DRM is that? (1)

golem100 (581505) | more than 5 years ago | (#26556343)

Actually--have you had a look a the the total mess that is the Audio Mixer since Vista? That was not implemented "in the best interests of the Customer"... Blah.

Re:What DRM is that? (0)

Anonymous Coward | more than 5 years ago | (#26556345)

How about WGA/activation and all related copy protection bullshit they use? Yeah, that's not DRM at all, dipshit.

Re:Would like to see a worm disable Vista's DRM (5, Funny)

Anonymous Coward | more than 5 years ago | (#26555987)

The 1 step guide to getting cheap mod points on Slashdot

1) Mention DRM

Are there pies in space? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26555745)

I am asking Slashdot because you are very intelligent beings?

Re:Are there pies in space? (1, Funny)

Anonymous Coward | more than 5 years ago | (#26555857)

I am asking Slashdot because you are very intelligent beings?

Yes, but because there's no gravity in space, we have to use very powerful electric currents to magnetise our pies.

We call them magpies and eat them at our space-football games with hot chips and source.

Go Collingwood! Yeah.

Re:Are there pies in space? (0)

Anonymous Coward | more than 5 years ago | (#26556051)

Thank you kind madam. And these magpies, do they have polarizzed crust, or are they made with ionic crumbs? I ask because I am in a space with am being hungry much. I spoke to the bird person but he whistled and pood at me. At last there is kindness in this world. I love you.

Re:Are there pies in space? (0)

Anonymous Coward | more than 5 years ago | (#26556281)

I like a different magpie, but mine uses a different "Port", same code but also with chips and source..

sorry it's weak, but I cannot believe a collingwood supporter reads slashdot !

Re:Are there pies in space? (0)

Anonymous Coward | more than 5 years ago | (#26556457)

Make that 2 Collingwood supporters :)

Autorun has always been a vulnerability (3, Insightful)

Anonymous Coward | more than 5 years ago | (#26555759)

It makes me feel a bit dizzy every time I think that this "feature" is enabled by default. It's a feature in the same way that an online banking system might feature login without a password, "just type your name to instantly access your account!" It saves the user a tiny hassle against an opportunity for absolute catastrophe.

Autorun is high on my list of stuff to disable very shortly after installing a fresh copy of Windows.

And it's not like it's a secret that this is a vulnerability. There's a reason Apple abandoned this capability when it moved from OS 9 to OS X.

Microsoft deserves derision for continuing to offer and promote this feature.

If Microsoft can't be bothered by it, nor convinced it's a very, very, bad idea, then autorun should at be limited exclusively to CDs and DVDs. That would merely be a terrible idea, as opposed to a downright catastrophic one.

Does Windows Vista or Window 7 handle this differently than XP??

Re:Autorun has always been a vulnerability (4, Informative)

Shadow-isoHunt (1014539) | more than 5 years ago | (#26556035)

Limiting autorun to CDs or DVDs doesn't help, because U3 flashdrives come with a rewritable partition that appears as a CD drive, which is also read only. Google "usb switchblade"

Re:Autorun has always been a vulnerability (1)

X0563511 (793323) | more than 5 years ago | (#26556421)

Fortunately, U3 drives can be neutered.

Re:Autorun has always been a vulnerability (1)

EvanED (569694) | more than 5 years ago | (#26556137)

If Microsoft can't be bothered by it, nor convinced it's a very, very, bad idea, then autorun should at be limited exclusively to CDs and DVDs

As the other person has mentioned, this doesn't work because it's possible for a USB device to masquerade as a CD drive, and it's easy to find a flash drive that does so.

But that isn't even the whole story, which is that barring that fact, what you describe is exactly the situation. Windows won't autorun things off of what it thinks is a removable drive.

Plug in and ... (1)

Derrike (1386721) | more than 5 years ago | (#26555761)

break?

OS X - best fix (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26555763)

Yet another reason I am glas I run a vierually 100% secure OS where such stuff can never happen. Ever.

Wrong link (5, Informative)

asifyoucare (302582) | more than 5 years ago | (#26555767)

Why link to a computerworld article about CERT's advice when you could link directly to the CERT article [us-cert.gov] ?

The computerworld article adds little.

But MS doesn't want to totally disable autorun (1)

localroger (258128) | more than 5 years ago | (#26555809)

Even though autorun is like one of the dumbest ideas ever, MS thinks of it as a COOL FEATURE and disabling it is going to break the COOL AUTOMATION that they have sold your grandma, who will no longer be able to just plug her camera into the computer and have it do its thing automatically. Their users might have to THINK which we all know is a bad thing, especially if you are thinking about how well your Microsoft product works.

Re:But MS doesn't want to totally disable autorun (2, Informative)

Ithaca_nz (661774) | more than 5 years ago | (#26556039)

1. If autorun is running an arbitrary executable on removable media just because, then yes, I would consider it one of the more idiotic ideas that has come up. 2. If autorun is running a known application already installed on the PC when a recognised device type is connected, then no it's not the "dumbest idea ever". There's no technical reason that you need (1) active to support (2). Whether there is a way to separately disable them in Windows is another question. (anyone have an answer to that?)

Re:But MS doesn't want to totally disable autorun (1)

pjbgravely (751384) | more than 5 years ago | (#26556085)

Auto starting an application to display and download photos from a camera is not the same as running an executable that is found on the camera. One can be done without the other.

Re:But MS doesn't want to totally disable autorun (1)

The MAZZTer (911996) | more than 5 years ago | (#26556357)

Actually in Vista (and XP SP3, or is it 2?) Autorun by default shows a dialog asking you what you want to do with the software, it doesn't run anything on the device/CD unless you explicitly select that option.

Even if it doesn't work... (0)

Anonymous Coward | more than 5 years ago | (#26555811)

Disable Autorun anyway, because it's fucking annoying.

Re:Even if it doesn't work... (5, Informative)

afidel (530433) | more than 5 years ago | (#26555921)

The problem is the Microsoft solution doesn't really disable autorun fully because they didn't think of all codepaths by which the behavior can be launched. The solution CERT gives is beautiful in its simplicity:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Basically it just associates autorun.inf with a NULL system function as the default handler.

Re:Even if it doesn't work... (1)

cdrguru (88047) | more than 5 years ago | (#26556301)

Sadly, Autoplay doesn't rely on autorun.inf. The folder icon executable can still pop up on XP and Vista.

Re:Even if it doesn't work... (1)

afidel (530433) | more than 5 years ago | (#26556439)

Uh, from the CERT advisory [us-cert.gov] :
III. Solution

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the following registry value:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

If you think you know more than the people at CERT, good luck to ya.

Re:Even if it doesn't work... (1)

Rockoon (1252108) | more than 5 years ago | (#26556319)

uhh, no, the problem here is that Microsoft hasnt offered any solutions. Others have claimed that Microsoft has suggested disabling autorun because of this virus, but that is actualy not the case. Microsoft has not made any recommendations related to this virus AFAIK, but has released a patch (which may not fully work?)

Many of the hardest hit institutions seems to be those which should already have rules against the use of any USB devices .. why are iPod's and thumb drives being plugged into government and military computers?? umm, helllllo? espionage anyone?

by taking advantage of ... users. (4, Insightful)

Animaether (411575) | more than 5 years ago | (#26555865)

"by taking advantage of Windows' Autorun and Autoplay features"
well no, not really.

Granted, they take advantage of the fact that...
1. there is an autorun feature. Is that so horrible? Probably not.
2. that the autorun feature pops up a display letting the user choose what to do (i.e. run the program, browse the drive, view pictures if it finds them, etc.). Again, not so bad.
3. that the autorun feature lets you customize the icon. Okay, things get a little hairy here - it's nice when the icon fits the program, but this malware uses the icon of... a folder. Just like the 'browse the disc/device' icon.
4. that the autorun feature does not have a -clear- distinction between what are autorun directives (run the program), and what are windows' built-in features (browse the drive).

The fourth is nearly inexcusable and if handled well, it would alleviate the third as well - just put a big red border around the darn thing (is one option, anyway).

In the end, though, it doesn't exploit 'autorun' directly - it exploits the fact that many users will think that the option with the folder icon with (misleading) description is the regular 'browse drive' option and click it carelessly.

Re:by taking advantage of ... users. (0)

Anonymous Coward | more than 5 years ago | (#26555967)

oh, I should amend... that's out-of-the-box (XP SP2 and Vista with SP1 added on later). A user -can- set autoplay/autorun settings so that a program will -always- be run automatically. For Vista:
http://windowshelp.microsoft.com/Windows/en-us/help/7e1fe788-0747-4e00-895b-c3461b1ddd971033.mspx [microsoft.com]

Choose Run enhanced content for the type you want (enhanced audio CD or enhanced DVD movie), or choose Install or run program for software and games. Note that this runs the program for all discs of this type, not just the disc you are currently using.

That 'note' should be a big fat 'warning', imho, but I guess they don't want to scare people away... even though this would be a good thing to scare people away from. /Animaether

Re:by taking advantage of ... users. (0)

Anonymous Coward | more than 5 years ago | (#26555999)

"by taking advantage of Windows' Autorun and Autoplay features"
well no, not really.

Granted, they take advantage of the fact that...
1. there is an autorun feature. Is that so horrible? Probably not.

Autoplay isn't a bad idea. Scanning any inserted media and starting an appropriate program is a real convenience and is found on Mac and some Linux distros as well. This only runs programs that were previously installed, and set as default, by the user.
Autorun causes whatever arbitrary program that resides on the removable media to be run. This is a terrible, horrible, no-good idea that should have been shot down before it was shipped. Microsoft should just admit this was a mistake and get rid of it. There are much better ways of ensuring the user can find the correct setup program, since that is its largest legitimate use.

Re:by taking advantage of ... users. (1)

Animaether (411575) | more than 5 years ago | (#26556087)

well, presumably that's what the default "ask me what to do" option, with the program listed at the top, is supposed to effect.

but the option to set your own icon + description then makes it too easy to mislead people, currently.

=====

by the by... the CERT recommendation - http://www.us-cert.gov/cas/techalerts/TA09-020A.html [us-cert.gov] - now notes that MS have an update available for manual install (XP etc.) and/or coming up on windows update (vista, server 2003) that -does- fully close the other vectors that CERT mentions.

Re:by taking advantage of ... users. (1)

quentin_quayle (868719) | more than 5 years ago | (#26556133)

You really do a good job, but defending "autorun" is just preposterous. This was always obviously a dire security hole, but Microsoft still (???) denies it is a bug. They responded to criticism only by adding another layer and making it harder to turn off. Automounting is a positive feature, but auto-execution by default is an anti-feature. Even if it were opt-in it would be bad design.

Re:by taking advantage of ... users. (1)

Timothy Brownawell (627747) | more than 5 years ago | (#26556165)

This was always obviously a dire security hole, but Microsoft still (???) denies it is a bug.

It's not a bug. It's a misfeature. There are a huge number of very good reasons to have it (half the population or so), it's just that there are stronger reasons that it's bad.

Re:by taking advantage of ... users. (2, Informative)

cdrguru (88047) | more than 5 years ago | (#26556205)

Microsoft introduced this when the only autorun capable device was a CD-ROM player and the only CD-ROMs where those manufactured. The idea of a "malware CD" was preposterous.

Any CD-based game for Windows was required to make use of Autorun/Autoplay in order to receive the Windows logo. It was designed to make inserting the disc with zero or minimal install operate like putting a cartridge or CD into a game console.

I am not familiar with any autorun capability on USB drives, but they have Autoplay. Autoplay requires the user's cooperation to do anything.

Re:by taking advantage of ... users. (1)

Compholio (770966) | more than 5 years ago | (#26556445)

Some USB flash drives have features that allow them to show up as CD-rom drives as far as Windows is concerned. I've personally never tried to play with this feature to get it to load something other than the manufacturer intended - but I do know that when you plug these drives in on Windows that they do not prompt you before launching their autorun application.

TweakUI anyone? (2, Interesting)

whoever57 (658626) | more than 5 years ago | (#26555909)

Why did neither MS or CERT suggest the use of TweakUI to turn off Autorun?

Re:TweakUI anyone? (0)

Anonymous Coward | more than 5 years ago | (#26556015)

Why did neither MS or CERT suggest the use of TweakUI to turn off Autorun?

Because Powertoys are unsupported?

Re:TweakUI anyone? (1)

rodgster (671476) | more than 5 years ago | (#26556291)

Does anyone know for certain if disabling autorun on all drives using tweakui eliminates the attack vector?

Re:TweakUI anyone? (0)

Anonymous Coward | more than 5 years ago | (#26556437)

It does not. [wikipedia.org]

Why so hard to diable autorun (1)

joe_frisch (1366229) | more than 5 years ago | (#26555911)

Why does Microsoft make it so difficult to disable auto-run? I understand that many customers may like the feature, but why not a simple control panel entry to stop it? Is it somehow tied with DRM for playing videos? I'm not just griping - they must have some reason for this, anyone know what it is?

Re:Why so hard to diable autorun (1)

Timothy Brownawell (627747) | more than 5 years ago | (#26556025)

Why does Microsoft make it so difficult to disable auto-run? I understand that many customers may like the feature, but why not a simple control panel entry to stop it? Is it somehow tied with DRM for playing videos? I'm not just griping - they must have some reason for this, anyone know what it is?

There are people who don't want to be bothered to understand file hierarchies or the "My Computer" window. Microsoft wants to cater to these people, rather than demand that they take time to learn.

Have there been any cases where animals wandered through the automatic doors into some large store? This would be vaguely similar, a convenience feature with unforeseen side-effects.

Re:Why so hard to diable autorun (2, Funny)

John Hasler (414242) | more than 5 years ago | (#26556099)

> Have there been any cases where animals wandered through the automatic doors into some
> large store?

Yes, but not nine million of them.

Re:Why so hard to diable autorun (1)

gmuslera (3436) | more than 5 years ago | (#26556209)

There is a precedent of another gaping "optional" security hole pretty hard to disable that is on by default in windows. How hard had been ever to disable internet explorer?

Default settings are a blessing and a burden (2, Insightful)

networkzombie (921324) | more than 5 years ago | (#26556027)

Many Microsoft screw ups could be managed by changing its default settings, but unfortunately Windows caters to Grandmothers who can't follow complicated instructions such as go to run, type d:\start.exe, much less mount /dev/hdc -t iso9660 -r /cdrom, or sudo apt-get install omgponies. What really pisses me off is that the simple tools for managing common system administration is not even included with the home version, which is the version that needs the admin tools because it is more likely to be infected due to the default settings. The group policy editor is how you should disable autorun, but it isn't included with XP Home. If it were included it would be more like XP Pro, which should be their lowest version. They should have an XP tech version that allows you to increase TCP connections, and import policies without Active Directory, and allow more that 10 SMB connections, and be able to update other XP boxen with its own installed Windows patches. Oh well, at least I don't always have to tell my Mom to find My Computer, then the D Drive, which she cannot do. I just tell her to insert the damn disc. So what's my solution to this whole fiasco? ESET Nod32. Pay for it and update it. It's not perfect, but what is?

Re:Default settings are a blessing and a burden (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26556185)

and yet Apple has had no problem catering to that market without adding autorun to their system. Hell the install process for most apps on a mac are "Drag this to your Applications folder."

obama has you by the nut sack (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26556335)

he halts pay increases while spending more tax payer money than any other president on his own inauguration. where i come from that's called grandstanding. he's just a fucking fraud and his supporters are bitches and faggot liars.

Or you could.... (1)

magamiako1 (1026318) | more than 5 years ago | (#26556417)

Just install the update that Microsoft released in October?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?