Microsoft Windows Does Not Disable AutoRun Properly

National Cyber Alert System
Technical Cyber Security Alert TA09-020A
Microsoft Windows Does Not Disable AutoRun Properly
Source: US-CERT

Systems Affected
Microsoft Windows

Overview
Disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code. However, Microsoft’s guidelines for disabling AutoRun are not fully effective, which could be considered a vulnerability.

I. Description
Microsoft Windows includes an AutoRun feature, which can automatically run code when removable devices are connected to the computer. AutoRun (and the closely related AutoPlay) can unexpectedly cause arbitrary code execution in the following situations:
A removable device is connected to a computer. This includes, but is not limited to, inserting a CD or DVD, connecting a USB or FireWire device, or mapping a network drive. This connection can result in code execution without any additional user interaction.

A user clicks the drive icon for a removable device in Windows Explorer. Rather than exploring the drive’s contents, this action can cause code execution.

The user selects an option from the AutoPlay dialog that is displayed when a removable device is connected.

Malicious software, such as W32.Downadup, is using AutoRun to spread. Disabling AutoRun, as specified in the CERT/CC Vulnerability Analysis blog, is an effective way of helping to prevent the spread of malicious code.

The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF “disables Autoplay on all types of drives.” Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.

II. Impact
By placing an Autorun.inf file on a device, an attacker may be able to automatically execute arbitrary code when the device is connected to a Windows system. Code execution may also take place when the user attempts to browse to the software location with Windows Explorer.

III. Solution
Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the following registry value:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@=”@SYS:DoesNotExist”
To import this value, perform the following steps:

Copy the text
Paste the text into Windows Notepad
Save the file as autorun.reg
Navigate to the file location
Double-click the file to import it into the Windows registry
Microsoft Windows can also cache the AutoRun information from mounted devices in the MountPoints2 registry key. We recommend restarting Windows after making the registry change so that any cached mount points are reinitialized in a way that ignores the Autorun.inf file. Alternatively, the following registry key may be deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Once these changes have been made, all of the AutoRun code execution scenarios described above will be mitigated because Windows will no longer parse Autorun.inf files to determine which actions to take. Further details are available in the CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin Atac for providing the workaround.

Update:

Microsoft has provided support document KB953252, which describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin. Windows 2000, XP, and Server 2003 users must install the update manually. Our testing has shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun as well as the workaround described above.

Oracle Updates for Multiple Vulnerabilities
Original release date: January 15, 2009
Source: US-CERT

Overview
Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

I. Description
The Oracle Critical Patch Update – January 2009 addresses 41 vulnerabilities in different Oracle products and components. The document provides information about affected components, access and authorization required, and the impact from the vulnerabilities on data confidentiality, integrity, and availability.

Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.

II. Impact
The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information.

III. Solution
Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update – January 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

Original release date: January 13, 2009
Source: US-CERT

Systems Affected
Microsoft Windows 2000, XP, and Vista
Microsoft Windows Server 2000, 2003, and 2008

Overview
Microsoft has released updates that address vulnerabilities in Microsoft Windows and Windows Server.

I. Description
In their bulletin for January 2009, Microsoft released updates to address vulnerabilities in the Server Message Block (SMB) Protocol that affects all supported versions Microsoft Windows.

II. Impact
A remote, unauthenticated attacker could gain elevated privileges, execute arbitrary code, or cause a denial of service.

III. Solution
Microsoft has provided updates for this vulnerability in the Microsoft Security Bulletin Summary for January 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should also consider using an automated update distribution system such as Windows Server Update Services (WSUS).

Microsoft continues to have problems with their Vista opperating system. Consumers complain about the problems that plague the software. The next service package to help fix the problems continues to be delayed. No official release date has been set. Security and privacy issues should be of concern to anyone using a Microsoft based computer to connect to the Internet.

The next opperating system release from Microsoft is Windows 7 and is expected to be released in 2010.   The Beta version is available at Microsoft.com.  They claim:

Windows 7

Over the past few years, you’ve asked us to make some changes to Windows. We listened closely. Now it’s time to share an early look at how we’ve used your feedback. Windows 7 is faster, more reliable, and makes it easier to do what you want. Both the everyday things and the killer “is that really possible?” things. Dig into this site to see what’s coming.

Internet Explorer 8

Available now, Internet Explorer 8 Beta 2 helps you do what you want online, faster. With innovations to the address bar, search, tabs, and the Favorites bar, Internet Explorer 8 brings you more information, with less effort.

Instant Search

To start, as you type a search request you’ll immediately start seeing relevant suggestions from your chosen search provider, complete with images when available. The twist: search will also use your browsing history to narrow the suggestions. You’ll start seeing search results while you’re typing. If you see what you’re looking for, you can go right to the list without finishing the request.

<a href=”http://membrane.com/security/”>Back to the Internet Security & Privacy Site</a>

The Safest Web Browser

According to Mozilla, maker of web browsers, their Firefox is the safest web browser.

Here is their claim:

Firefox keeps your personal info personal and your online interests away from the bad guys.

So How Do We Do It?

What makes Firefox different? Most importantly, we’re open. That means anyone around the world (and we have thousands of experts watching our back) is able to look into our code and find any potential weak spots in our armor.

And when we hear about a problem, we roll up our sleeves and get to work fixing it right away. It’s in your best interest (and ours) to take care of the issue, even if it means admitting we’re a little less than perfect.  Simply put, your security is our top priority.

There’s a Method to Our Madness.

Nobody loves the Internet more than we do. But, scammers, spammers and trigger-happy viruses are true threats,  so you need to protect yourself while using the Web.  That’s Where Firefox Comes In.

Using it is the safest way to surf the web because:

* We don’t try to tackle the problem alone. An international community of security experts is working around the clock to make your web browsing safer (thanks to our open source way of doing things). It’s like having your neighborhood watch led by a group of highly trained ninjas.
* We consider your security every step of the way. Security experts work right from the start to identify and address potential problems before a single line of code is written.
* We stay on top of the issue. We’re constantly monitoring threats and releasing new Firefox updates to stay one step ahead. Operating in an open source world means anyone can help us find and fix our weak spots.

For more details on how Firefox keeps you safe online, visit our security blog.

Web browsing has become safer with Chrome, Google.com ’s browser. You can download it for free. It’s lightweight on your computer resources but heavy duty on surfing the web… pages load faster.

There is also an awesome feature that is the antithesis of Microsoft’s Internet Explorer (IE) web browser — secure browsing. Whereas Microsoft tries to track your movements and uses practices that are questionable for your privacy and security, Google has built in features to help protect you. In particular, you can click on the little wrench icon in the upper right hand corner and select, “New incognito window.”

A new browser window opens and tells you:

You’ve gone incognito. Pages you view in this window won’t appear in your browser history or search history, and they won’t leave other traces, like cookies, on your computer after you close the incognito window. Any files you download or bookmarks you create will be preserved, however.

Going incognito doesn’t affect the behavior of other people, servers, or software. Be wary of:
* Websites that collect or share information about you
* Internet service providers or employers that track the pages you visit
* Malicious software that tracks your keystrokes in exchange for free smileys
* Surveillance by secret agents
* People standing behind you

by the United States Computer Emergency Readiness Team
www.us-cert.gov

Michael D. Durkota and Will Dormann It can happen to anyone. Considering the vast number of viruses and Trojan horses traversing the Internet at any given moment, it’s amazing it doesn’t happen to everyone. Hindsight may dictate that you could have done a better job of protecting yourself, but that does little to helpyou out of your current predicament. Once you know that your machine is infected with a Trojan Horse or virus (or if your machine is exhibiting unexpected behavior and you suspectthat something is wrong), what can you do? If you know what specific malicious program has infected your computer, you can visit one ofseveral antivirus web sites and download a removal tool. Chances are, however, that you will not be able to identify the specific program. Unfortunately your other choices are limited, butthe following steps may help save your computer and your files. 1. Call IT supportIf you have an IT support department at your disposal, notify them immediately and followtheir instructions.2. Disconnect your computer from the Internet Depending on what type of Trojan horse or virus you have, intruders may have access to yourpersonal information and may even be using your computer to attack other computers. You canstop this activity by turning off your Internet connection. The best way to accomplish this is tophysically disconnect your cable or phone line, but you can also simply “disable” your networkconnection. 3. Back up your important files At this point it is a good idea to take the time to back up your files. If possible, compile all ofyour photos, documents, Internet favorites, etc., and burn them onto a CD or DVD or save themto some other external storage device. It is vital to note that these files cannot be trusted, sincethey are still potentially infected. (Actually, it’s good practice to back up your files on a regular basis so that if they do get infected, you might have an uninfected set you can restore.)4. Scan your machineSince your computer (including its operating system) may be infected with a malicious program, it is safest to scan the machine from a live CD (or “rescue” CD) rather than a previously installedantivirus program. Many antivirus products provide this functionality. Another alternative is touse a web-based virus removal service, which some antivirus software vendors offer (try searching on “online virus scan”). Or you could just try Microsoft’s web-based PC Protection Scan. The next best action is to install an antivirus program from an uncontaminated source such as aCD-ROM. If you don’t have one, there are many to choose from, but all of them should provide the tools you need.

After you install the software, complete a scan of your machine. The initial scan will hopefullyidentify the malicious program(s). Ideally, the antivirus program will even offer to remove the malicious files from your computer; follow the advice or instructions you are given. If the antivirus software successfully locates and removes the malicious files, be sure to followthe precautionary steps in Step 7 to prevent another infection. In the unfortunate event thatthe antivirus software cannot locate or remove the malicious program, you will have to followSteps 5 and 6. 5. Reinstall your operating systemIf the previous step failed to clean your computer, the most effective option is to wipe or format the hard drive and reinstall the operating system. Although this corrective action will also result in the loss of all your programs and files, it is the only way to ensure your computeris free from backdoors and intruder modifications.Many computer vendors also offer a rescue partition or disc(s) that will do a factory restore ofthe system. Check your computer’s user manual to find out whether one of these is providedand how to run it.Before conducting the reinstall, make a note of all your programs and settings so that you canreturn your computer to its original condition.It is vital that you also reinstall your antivirus software and apply any patches that may be available. Consult “Before You Connect a New Computer to the Internet” for further assistance.6. Restore your files If you made a backup in Step 3, you can now restore your files. Before placing the files back indirectories on your computer, you should scan them with your antivirus software to check themfor known viruses. 7. Protect your computerTo prevent future infections, you should take the following precautions: • Do not open unsolicited attachments in email messages.• Do not follow unsolicited links.• Maintain updated antivirus software. • Use an Internet firewall.• Secure your web browser.• Keep your system patched.To ensure that you are doing everything possible to protect your computer and your importantinformation, you may also want to read some of the articles in the Resources section below.

Federal Trade Commission

Are you taking steps to protect personal information? Safeguarding sensitive data in your files and on your computers is just plain good business. After all, if that information falls into the wrong hands, it can lead to fraud or identity theft. A sound data security plan is built on five key principles:

* Take stock. Know what personal information you have in your files and on your computers.
* Scale down. Keep only what you need for your business.
* Lock it. Protect the information in your care.
* Pitch it. Properly dispose of what you no longer need.
* Plan ahead.
* Create a plan to respond to security incidents.

Microsoft
Microsoft Security

4 steps to protect your computer

Step 1. Keep your firewall turned on
What is a firewall?

A firewall helps protect your computer from hackers who might try to delete information, crash your computer, or even steal your passwords or credit card numbers. Make sure your firewall is always turned on.

• How to turn on your firewall

• How to choose a firewall

• Learn more about firewalls for your operating system

——————————————————————————–

Step 2. Keep your operating system up-to-date
What are operating system updates?

High priority updates are critical to the security and reliability of your computer. They offer the latest protection against malicious online activities. Microsoft provides new updates, as necessary, on the second Tuesday of the month.

• How to update your operating system

• Microsoft security updates: Frequently asked questions

• Learn about using Microsoft Update

• Go to Microsoft Update

——————————————————————————–

Step 3. Use updated antivirus software
What is antivirus software?

Viruses and spyware are two kinds of usually malicious software that you need to protect your computer against. You need antivirus technology to help prevent viruses, and you need to keep it regularly updated.

• How to get antivirus software

• Get regular antivirus scanning with Windows Live OneCare

• Get a free safety scan

• Learn about viruses

• Learn more about virus protection for your operating system

——————————————————————————–

Step 4. Use updated antispyware technology
What is antispyware software?

Viruses and spyware are two kinds of usually malicious software that you need to protect your computer against. You need antispyware technology to help prevent spyware, and you need to keep it regularly updated.

• Get antispyware technology

• Use Windows Defender, free antispyware for Windows XP SP2

• Learn about spyware

• Learn more about spyware protection for your operating system

How can you tell who you are communicating with over the Internet? This article from Business Week helps explain.

Kaylee was struggling. Diagnosed with a heart condition and cancer, she was scared. So she started a blog. Soon, people across the country answered her plea, writing notes of encouragement and even trying to mail her care packages. One night, she wrote a supporter. “I’m overwhelmed right now. I’m dying.”

Brief interactions evolved into late-night, long-hour conversations. But things only got worse. And that was the problem.

In early December 2008, Kaylee added a new blog entry titled, “Coming Clean.” She didn’t have cancer. She had never been sick. In a move eerily reminiscent of the fake “Kaycee Nicole” of 2001, “Kaylee” revealed to her numerous followers that she had been lying for two years.

The news was a blow, but there had been signs. In fact, whenever anyone is revealed as an imposter, you can almost always look back and find signs.

Are You Real?
How do you know if someone online is genuine? Sometimes it’s pretty transparent. We’ve all received messages about magic bank accounts filled with rivers of cash. One of my favorites was an e-mail from a supposed FBI agent. He requested that I send money to prove I wasn’t a terrorist. (I’ve got to admit, that was pretty creative.) I also fondly remember an e-mail from “David Palmer” of the show 24. He needed money, too, because apparently TV characters are real. I’m still waiting for a message from Jack Bauer.

Alfred Adler, a psychologist who collaborated with Sigmund Freud, said: “Trust only movement. Life happens at the level of events, not of words. Trust movement.” The philosophy transfers to the online world quite well. Don’t just trust words, authenticate them. This is especially vital when the communication involves your business. You can verify someone in two ways: through technology and observation. The technical side can often be faked, but a scammer will always give off a psychological “tell.”

Technical Authentication
Here are a few tools, available free on the Web, that will help you identify who’s for real and who’s surreal (and likely up to no good, at your expense):

Run Internet background checks. Google (GOOG) is your friend. Use the popular search engine to look up a contact’s e-mail address. Is the first part used as an alias? If your contact has a Web site, run a search on it. Visit Who Is Domain Tools to see who owns the site and when it was launched. Finally, plug your contact’s phone number into Who Called Us to see if he has been identified as a scammer.

Trace the e-mail. You can use an e-mail’s header to find the sender’s location. What Is My IP Address works great for this. You’d be amazed how many times I’ve found that an e-mail came from Nigeria! This method isn’t foolproof, though. Many scammers use proxies to hide their location.

Check Web statistics. Most people have a Web tracker on their blog or site (I like StatCounter.) If a new contact says he found your Web site through a search, check your Web stats to see if a visitor from his IP address really was referred in that way.

Psychological Tells
Identifying scammers is like calling a bluff in poker. Technical observation isn’t enough. Look for subtle behavior changes that give away a person’s real intentions.

Think about whether he or she is being consistent. Creating a fake persona takes a lot of work, so pay attention to details. If the contact should be in surgery, was she online instead? Also, is the tone a little too urgent, too desperate? Fake personas create situations that demand (your) immediate attention.

As your mom no doubt always told you, trust your gut instincts. Does your new contact sound too good to be true? Is her photo too perfect? Many scammers steal photos from modeling Web sites and stories from fairy tales.

The hallmark of many fake personas is drama. The craziest things keep happening—over and over and over. Sometimes, you’re the only person in the world who can help—or so you’re told.

Finally, emotional scammers crave attention. Does he come up with a new problem when you try to end a conversation? Scammers will not respect your boundaries. Watch for signs that he is keeping an eye on you, as if you’re a fish on a line that he doesn’t want to get away.

All of this was driven home to me during the first week of this new year, when a woman on Twitter learned the hard way that people online are quite unpredictable. After a particularly rough night putting her daughter to bed, the frustrated mom “tweeted” that she wanted to smother her child so she would fall asleep. Later that night, there was a knock on her door. One of her followers had reported her to the police.

It’s best to not just be authentic, but wisely authentic. Watch who you interact with and what you say online. You never know who’s listening.