Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability.
By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.
Disable AutoRun in Microsoft Windows
To effectively disable AutoRun in Microsoft Windows, import the following registry value:
To import this value, perform the following steps:
Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:
Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog [1]. Thanks to Nick Brown and Emin Atac for providing the workaround and to Aryeh Goretsky for pointing out a possible issue with Notepad appending a .txt file extension.
Update:
Microsoft has published Microsoft Knowledge Base Article 967715 [2], which describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to all affected systems. The previous update, described in Microsoft Knowledge Base Article 953252 [3], was only available through Microsoft Update for Windows Vista and Windows Server 2008, and for manual installation on other affected platforms. Microsoft states the that systems that already applied the update from Microsoft Knowledge Base Article 953252 do not need to apply the update from Microsoft Knowledge Base Article 967715 because the changes are the same. Additional details about the update can be found in Microsoft Security Advisory (967940) [4]. Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun as effectively as the workaround described above.
Produced 2009 by US-CERT, a government organization.
Links:
[1] http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html
[2] http://support.microsoft.com/kb/967715
[3] http://support.microsoft.com/kb/953252
[4] http://www.microsoft.com/technet/security/advisory/967940.mspx
[5] http://www.kb.cert.org/vuls/id/889747
[6] http://nick.brown.free.fr/blog/2007/10/memory-stick-worms
[7] http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx
[8] http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
[9] http://support.microsoft.com/kb/155217
[10] http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx
[11] http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx
[12] http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99
[13] http://www.f-secure.com/weblog/archives/00001576.html
[14] http://www.f-secure.com/weblog/archives/00001586.html
[15] http://www.us-cert.gov/cas/techalerts/TA09-020A.html
