Launch Printer Friendly Page Security TechCenter > > Microsoft Security Advisory (967940)

Microsoft Security Advisory (967940)

Update for Windows Autorun

Published: | Updated:

Version: 2.1

Microsoft is announcing the availability of updates to the Autorun feature that help to restrict AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Restricting AutoPlay functionality to only CD and DVD media can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file.

Microsoft released the following updates related to this advisory.

  • The update released by Microsoft on February 24, 2009: 

    Microsoft Knowledge Base Article 967715 describes an update that corrects an issue with the enforcement functionality that is used for disabling Autorun and that can help customers in keeping their systems protected. The update corrects an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected on supported editions of Windows XP and Windows Server 2003. This update is available through automatic updating and from the Microsoft Download Center and may be required on affected systems prior to installing later updates to the Autorun feature.

    Note For all editions of Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008, in order to take advantage of the registry key settings that disable Autorun, customers must install the security update provided in the MS08-038 (950582) security bulletin.
  • The update released by Microsoft on August 25, 2009: 

    Microsoft Knowledge Base Article 971029 describes an update to Autorun that restricts AutoPlay functionality to CD and DVD media. This update is intended to stop AutoPlay functionality from working on USB drives, external hard drives, or network shares. This update is available for supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update was originally available only from the Microsoft Download Center.
  • The update released by Microsoft on February 8, 2011: 

    The update to Autorun described in Microsoft Knowledge Base Article 971029 is now available via automatic updating. Customers who have already installed the 971029 update manually will not be offered the update and do not need to take additional action.
  • The update released by Microsoft on February 22, 2011: 

    Change to the deployment logic for updates described in this advisory. This change in deployment logic is intended to minimize the user interaction required to install the updates on systems configured for automatic updating. With the change, typically no user action will be required to install the updates because automatic updating detects the configuration of the target system, downloads the updates, and installs the updates automatically or on a schedule specified by the user.

    Customers who have already installed the updates previously will not be offered the updates and do not need to take additional action.

General Information

Overview

Frequently Asked Questions

Suggested Actions

Other Information

Resources:

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (February 24, 2009): Advisory published.
  • V1.1 (August 25, 2009): Summary revised to notify users of an update to Autorun that restricts AutoPlay functionality to CD-ROM and DVD-ROM media, available for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 from Microsoft Knowledge Base Article 971029.
  • V2.0 (February 8, 2011): Summary revised to notify users that the 971029 update to Autorun that restricts AutoPlay functionality to CD and DVD media will be offered via automatic updating.
  • V2.1 (February 22, 2011): Summary revised to notify users of a change in the deployment logic for updates described in this advisory. This change is intended to minimize the user interaction required to install the updates on systems configured for automatic updating.