Security Advisory
Microsoft Security Advisory 953252
AutoRun Enforcement in Windows
Published: August 12, 2008
Microsoft has completed the investigation into a public report of a vulnerability in the AutoRun feature of Windows, which launches installers in removable media or network shares from third-party software vendors. This vulnerability affects all supported editions of Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2, and Windows Vista.
At issue is the way Windows enforces AutoRun settings. In at least one scenario, AutoRun will execute arbitrary code on a removable USB storage device despite group policy and/or registry settings that specifically disable AutoRun. For example, if an attacker gives a user a USB key containing specially crafted code and the user simply used Windows Explorer to examine the contents of the removable drive, AutoRun would execute the specially crafted code without prompting the user for an AutoRun action.
In another scenario, Windows Vista still performs the AutoRun action for network drives even when the registry is specifically set to disable AutoRun. Windows Vista is not properly enforcing the registry setting to prevent the AutoRun action.
We are aware of attacks that try to use the reported vulnerabilities or of customer impact at this time. Microsoft is investigating the public reports. For more information about this issue, including download links for the security update, please review the Microsoft Knowledge Base Article 953252.
Mitigating Factors:
This vulnerability does not affect supported editions of the following releases of Windows:
- Windows Server 2008 (all editions)
General Information
Overview
Purpose of Advisory: To provide customers with initial notification of the publicly disclosed vulnerability and the availability of a security update over Automatic Updates.
Advisory Status: Microsoft Knowledge Base Article and associated update were released.
Recommendation: Review the referenced Knowledge Base Article and apply the appropriate update.
| References | Identification |
|---|---|
| Microsoft Knowledge Base Article | 953252 |
| CVE Reference | CVE-2008-1452 |
This advisory discusses the following software:
| Related Software |
|---|
| Windows XP Service Pack 2 |
| Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 |
| Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 |
| Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems |
| Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 |
| Windows Vista and Windows Vista Service Pack 1 |
| Windows Vista x64 Edition |
Frequently Asked Questions
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the AutoRun feature, a component of Microsoft Windows. This affects the software that is listed in the “Overview” section.
What causes this threat?
An attacker could create a social engineering attack to abuse the AutoRun system that is designed to allow automatic execution of certain files. The attack does not automatically cause specially crafted software to run on the user’s computer. The user would still have to insert removable media or connect to a network share that contains the specially crafted software.
What does this feature do?
The primary purpose of AutoRun is to provide a software response to hardware actions initiated by the user on a computer. AutoRun has three features: Double Click, Contextual Menu, and Autoplay. These features are mainly called from removable media or network shares. During Autoplay, the autorun.inf file from the media is called, which internally executes from the disk. Many companies use this functionality to launch their installers.
What might an attacker use this function to do?
An attacker could convince a user to connect to a network share. This can be done by sending a link through e-mail. Once the network share is connected, the AutoRun feature would start a program on the network share even if the computer’s registry has been configured to not allow this action. The user would not be prompted before this action occurred. The attacker could then execute specially crafted software add-ons, such as spyware, without further user interaction.
An attacker could also provide a USB storage device containing specially crafted code to a user. If the user views the removable drive through Windows Explorer, the user would not be prompted for an AutoRun action. AutoRun would then execute the specially crafted code, such as spyware, without further user interaction.
Will this update be distributed over Automatic Updates?
Yes, this update is distributed over Automatic Updates to the software listed above.
Suggested Actions
Review the Microsoft Knowledge Base Article that is associated with this advisory
Customers who are interested in learning more about this issue should review Microsoft Knowledge Base Article 953252.
Workarounds
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
Prevent Creation of Autorun.inf Files on Shares
To prevent the AutoRun feature from being invoked and to keep any programs from writing Autoun.inf files to mapped network drives, follow these steps:
- Delete any Autorun.inf files from the root of a mapped network drive.
- Do not give anyone Create rights to the root of a mapped network drive.
Impact of Workaround: AutoRun features will not be available from network drives.
Disable the Use of USB Storage Devices
There are two methods that you can use to prevent users from connecting to a USB storage device. For more information on disabling USB storage devices see Microsoft Knowledge Base Article 823732.
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows registry
To Disable the Use of USB Storage Devices
To disable the use of USB storage devices, use one or more of the following procedures, as appropriate to your situation:
If a USB Storage Device Is Not Already Installed on the Computer
If a USB storage device is not already installed on the computer, assign the user or the group Deny permissions to the following files:
- %SystemRoot%\Inf\Usbstor.pnf
- %SystemRoot%\Inf\Usbstor.inf
When you do so, users cannot install a USB storage device on the computer. To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps:
- Start Windows Explorer, and then locate the %SystemRoot%\Inf folder.
- Right-click the Usbstor.pnf file, and then click Properties.
- Click the Security tab.
- In the Group or user names list, click the user or group that you want to set Deny permissions for.
- In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK. Note In addition, add the System account to the Deny list.
- Right-click the Usbstor.inf file, and then click Properties.
- Click the Security tab.
- In the Group or user names list, click the user or group that you want to set Deny permissions for.
- In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.
If a USB Storage Device Is Already Installed on the Computer
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. If a USB storage device is already installed on the computer, set the Start value in the following registry key to 4:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
When you do so, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps:
- Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
- Locate, and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
- In the right pane, double-click Start.
- In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
- Quit Registry Editor.
Please contact the vendor of your USB device to inquire about a newer driver. For information about how to contact the vendor of your USB device, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:
65416 Hardware and software vendor contact information, A-K
60781 Hardware and software vendor contact information, L-P
60782 Hardware and software vendor contact information, Q-Z
Impact of Workaround: USB storage devices will no longer function on systems where these changes are applied.
Resources:
- You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.
- Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- August 12, 2008: Advisory published
Built at 2014-04-18T13:49:36Z-07:00