In May 2008, in a one-to-day newsletter called "Virus and Promiscuity. From floppy disk to USB", it was already recommended to specifically configure Windows to ignore autorun.inf files and tackle the root problem, since there were already known ways to bypass the "official" protection, which consisted of modifying the NoDriveTypeAutorun registry policy.
Two vulnerabilities, the same problem
In July 2008, Microsoft released bulletin MS08-038 which, among other things, corrected this failed behavior by Autorun (CVE-2008-0951). But it was only offered through Windows Update (mandatorily) for Windows Vista and 2008. XP users had the patch to fix the bug (KB953252), but you had to download it and install it expressly. It didn't install automatically like the rest of the security patches because Microsoft was afraid of "breaking" too many functionalities for its (still) large windows XP user park. In addition, by the way, it gave a push to encourage the update to its most modern operating system to date.
But at the end of 2008 Conficker appeared, a rather sophisticated malware with some amazing functionalities. It took advantage of the Autorun functionality in an unprecedented way to date. He created an autorun file.ini functional but disguised with garbage, which managed to go unnoticed by antiviruses. That is: the official methods (through the NoDriveTypeAutorun policy of the registry) recommended to date to prevent execution, still did not really work. Due to the success of Conficker in XP, in February 2009 they had to fix a new bug (CVE-2009-0243) through an update that partly covered the previous vulnerability and that this time, was mandatory for everyone. Although patch KB967715 for XP was automatically distributed through Windows Update on that date, it was surprisingly not considered a "security patch" (it does not have a Microsoft bulletin associated with it).
In addition, the patch modified the behavior of Autorun: After applying it, a new label was added to the registry that had to be correctly configured. In practice, for low-powered users, Autorun was still a problem.
Improvements, but only for Windows 7
After so much vulnerability, in May 2009 Microsoft decided to improve the security of the "auto-run" functionality of removable media on which it can be written, avoiding the autoplay dialog on USB sticks. It did so by default in Windows 7 and, for previous versions of Windows, it published in August 2009 patch KB971029. Again, it was not mandatory, it had to be downloaded manually. Another supposed push to motivate the change of operating system. It has been necessary to wait a year and a half for now, at the end of February 2011, to be installed on a mandatory basis for all operating systems prior to Windows 7 from Windows Update.
Other problems with Autorun
But there were still headaches with self-execution. In July 2010 VirusBlokAda discovers Stuxnet. The Trojan can spread through USB sticks without the traditional autorun.inf file. Uses a vulnerability in . LNK that allowed code execution even if AutoPlay and AutoRun were disabled. For practical purposes, it implies that an entirely new way of executing code in Windows had been discovered when a removable device was inserted, regardless of whether all the appropriate measures known so far had been taken to prevent it. Outside of the usual cycle, Microsoft released MS10-046 in August to address the vulnerability.
In short, a long journey until today: vulnerabilities that are not corrected in all systems, security patches that are not qualified as such according to which versions, improvements that are not offered in a mandatory way, patches that overlap other patches and patches that modify the functionality ... a whole headache that seems to be coming to an end, with the patches that block and improve Autorun and Autoplay spread massively.
Even so, there is still a default functionality that prevents the Autorun from being completely annihilated: For devices that are supposed to not be able to write (optical media), Windows still launches AutoPlay and continues to ask the user what to do. Among those options allows automatic execution.
Learn more.
How to disable autorun functionality in Windows
http://support.microsoft.com/kb/967715
02/08/2010 Microsoft releases out-of-cycle update for
vulnerability in .lnk
03/05/2009 Microsoft improves the "self-execution" of Windows 7. Thank you
Conficker?
http://www.hispasec.com/unaaldia/3844
19/02/2000 Attacks through the autorun
http://www.hispasec.com/unaaldia/480
27/05/2008 Virus and promiscuity. From floppy disk to USB
http://www.hispasec.com/unaaldia/3503
25% of malware spread via USB drives
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=227100125
Author: Sergio de los Santos
Source: Hispasec
