US-CERT: Microsoft’s Advice on Downadup is Wrong

Microsoft Corp.’s advice on disabling Windows’ “Autorun” feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack.

In an alert issued on Monday, US-CERT said Microsoft’s instructions on turning off Autorun are “not fully effective” and “could be considered a vulnerability.”

The flaw in Microsoft’s guidelines are important at the moment, because the “Downadup” worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows’ Autorun and Autoplay features.

Autorun, the focus of the US-CERT warning, lets Windows automatically run any program specified in the “autorun.inf” on, for example, a CD or a flash drive, as soon as the disc or device is inserted or connected. By default, Windows has Autorun enabled.

The problem is that Downadup, which as of last week had infected nearly 9 million PCs worldwide, tries to spread using USB-based devices, typically flash drives. The worm creates an autorun.inf file at the root directory of any USB-based device it finds connected to the infected machine. Then, when that device is later connected to an uninfected computer, the autorun.inf file copies the worm to the machine without any action on the part of the user or the user even knowing.

The result: another PC hacked by Downadup.

Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector. According to US-CERT, Microsoft’s advice is useless.

“The ‘Autorun’ and ‘NoDriveTypeAutorun’ registry values [specified by Microsoft] are both ineffective for fully disabling Autorun capabilities on Microsoft Windows systems,” the organization said. “Setting the Autorun registry value to ‘0’ will not prevent newly-connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed.”

Likewise, the recommended “0xFF” setting for the NoDriveTypeAutorun registry entry, which Microsoft says “disables Autoplay on all drives,” won’t protect users from infection if they happen to double-click on the drive’s icon in Windows Explorer, said US-CERT.

Instead, users should make a different modification to the Windows registry, US-CERT said. In the alert, it gave the new value as well as instructions on how to copy it to Windows Notepad and import it into the registry.

“Once these changes have been made, all of the Autorun code-execution scenarios described above will be mitigated because Windows will no longer parse autorun.inf files to determine which actions to take,” read the US-CERT warning.

One security researcher said he was surprised that Microsoft didn’t catch its recommendation errors, particularly in light of the ongoing Downadup attacks. “Seems unbecoming of Microsoft not to have been the one posting this information on a blog of theirs,” said Andrew Storms, director of security operations at nCircle Network Security Inc.

He also bemoaned the need to edit the registry to disable Autorun. “Not only [is] editing the registry outside the [reach] of most people, but now we have learned that the information from the source is not complete,” Storms added in an exchange via instant messaging.

Microsoft did not immediately reply to a request for comment on US-CERT’s alert.