Microsoft Security Advisory (953252)
AutoRun Enforcement in Windows
Microsoft has completed the investigation into a public report of a vulnerability in the AutoRun feature of Windows, which launches installers in removable media or network shares from third-party software vendors. This vulnerability affects all supported editions of Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, and Windows Vista.
At issue is the way Windows enforces AutoRun settings. In at least one scenario, AutoRun will execute arbitrary code on a removable USB storage device despite group policy and/or registry settings that specifically disable AutoRun. For example, if an attacker gives a user a USB key containing specially crafted code and the user simply used Windows Explorer to examine the contents of the removable drive, AutoRun would execute the specially crafted code without prompting the user for an AutoRun action.
In another scenario, Windows Vista still performs the AutoRun action for network drives even when the registry is specifically set to disable AutoRun. Windows Vista is not properly enforcing the registry setting to prevent the AutoRun action.
We are aware of attacks that try to use the reported vulnerabilities or of customer impact at this time. Microsoft is investigating the public reports. For more information about this issue, including download links for the security update, please review the Microsoft Knowledge Base Article 953252.
This vulnerability does not affect supported editions of the following releases of Windows:
- Windows Server 2008 (all editions)