So I have been working on disabling AutoRun/AutoPlay, which I will just call AutoRun from now on, although they are technically not the same thing, as far as disabling them they are. Microsoft, in my humble opinion, makes this confusing for no necessary reason. Especially since malware executing from external drives (other then installed HDDs) is easily the 2nd highest vector for the bad stuff getting onto San Diego City computers. So the need to disable AutoRun is a no brainer, after all it’s been stopped for A: drives and can’t even be allowed if desired. What makes a USB, CD, DVD, Network Drive, etc any different? The currently spreading Downadup/Conficker worm would be very happy for system admins/users to allow the admittedly convenient AutoRun functionality despite how dangerous it is.
AutoRun has 3 parts, and they must all be disabled or you won’t be safe from it’s unchecked executing. The 3 parts are….
* User Double Clicks (in the MyComputer view, NOT explorer or folders view)
* Contextual Menu (Right Click menu)
* AutoRun (Automatically run anything that is listed in autorun.inf on “new” drive)
The setting below (done through registry or GPO [steps here])
NoDriveTypeAutoRun (set to FF or all drives)
should be all you need to do; to be AutoRun free, right? Wrong. Turns out this will only disable the AutoRun parsing of new drives. But it will NOT disable the first 2 in my list above, which means the average user will just probably launch the malware manually. So what do you do? Well you turn to MS to explain why they aren’t respecting the GPO you just pushed. Unfortunately you will just be met with more confusion. Here’s the link you will find for anything older then Vista/Win2008.
So you scroll to the bottom to download the patch, but notice that it’s really a link to KB950582, that is labeled as Vista/Win2008. What the heck? Then you go to your WSUS console to download the correct patch for WinXP/2000/2003 etc. but it’s not there. Only KB950582 is, which by the way was a security patch (MS08-038) for Vista/Win2008 released back in July 08. Long story short what I’ve been able to put together is that the patch KB950582 when applied to other Windows OS’s modifies the shell in a way that allows for honoring the AutoRun registry entry for earlier OS ‘s AND repairs a vuln in Vista/Win2008. Which is why its labeled as Vista/2008 and not XP/2000/2003, but I think MS is wrong to not make it clear and simple to understand what needs to be done to disable AutoRun/AutoPlay for all the Windows OS flavors. They are usually pretty good with scanning and giving your computer the patches it needs, lets hope they decide to change their approach in the near future.
My Solution: Set the GPO for HK Local Machine in Active Directory, and then include the patch KB950582 in WSUS for all your machines. It should push out even though it says Vista/2008. I’ll update this blog if I find this to not be true.
UPDATE 2: So I’m still on this and it appears WSUS is NOT pushing KB950582 to non-Vista machines (see next blog post)
PS. US CERT recently released a bulletin recommending to disable AutoRun, and detailed a fix from Nick Brown (which is great for home but probably a little severe for the Enterprise, IMO). They also put in an update about what I explained above you might want to check out there short “update” paragraph at the bottom if my opinionated ramblings above didn’t make 100% sense.