US-CERT naysays Microsoft security advisory
- TAGS:953252, autorun, Microsoft, MSFT, US-CERT
- IT TOPICS:Cybercrime & Hacking, Government & Regulation, Security, Windows
In Thursday's ITÂ Blogwatch, Richi Jennings watches US-CERT's helpful augmentation of Microsoft's guidelines to prevent infection by the Conficker/Downadup worm. Not to mention Guitar Hero, circa 1982...
Gregg Keizer reports:
Microsoft Corp.'s advice on disabling Windows' "Autorun" feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack.
...
The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features.
Dan Goodin adds:
Downadup has managed to infect an estimated 9 million machines at last count using multiple attack vectors. Two of those vectors are USB flash drives and mapped network drives, which are booby-trapped with files that compromise machines that are configured to automatically connect to CD and DVD drives and other types of media.Disabling the feature has long been a good idea, as the 2005 fiasco involving the Sony rootkit made clear ... With Downadup spreading like wildfire, disabling Autorun is an even better idea than ever.
Mark Edward Soper is super:
The Conficker/Downadup family of worms is a nasty bunch for several reasons ... Recent variants ... attach themselves to several processes, disable Windows security services such as Windows Defender, Windows Error Reporting Services, and others, and create a registry entry for faster propagation across a network ... [They] not only exploit the original Windows Server Service RPC Handling Remote Code variation, but can also spread through infected USB flash memory drives and by cracking weak network passwords. These latter methods are widely used by Conficker/Downadup to attack corporate networks ... Also infects mapped drives with autorun.inf files that spread the worm and blocks DNS requests to security sites to prevent downloading of updated antivirus and antimalware programs.
...
Conficker's payload - what it was designed to do - has not been triggered and is not yet known. What the developers of Conficker could do with millions of compromised PCs, the majority of which are on corporate networks, is frightening.
cbiltcliffe has seen it all before:
[Microsoft has] always been completely screwed up on anything whatsoever to do with autorun. It was a bad idea from the start, and it's just managed to get worse.
John Hasler's mind boggles:
Is it really true that you have to edit the registry to turn off autorun? There isn't any clicky? Amazing.
And finally...
Buffer overflow:
Other Computerworld bloggers:
- Eric Lundquist: Apple joins IBM in the financial happy surprise category
- Seth Weintraub: AAPL earnings call Live
- Eric Lundquist: Why IBM bucked the technology downtrend
- Larry Medina: EMR/EHR MUST go forward, but not until safeguards are in place
- Don Tennant: The other casualty
- Douglas Schweitzer: Don't let Bluetooth leave you seeing red!
- Jaikumar Vijayan: Heartland’s breach disclosure timing raises eyebrows
- SJVN: Liberation fonts for Linux
- Preston Gralla: Which is best for netbooks: Windows 7 or Linux?
- Robert L. Mitchell: From SaaS to Obama
- Mark Everett Hall: Obama's recovery plan overlooks IT workers
- Shark Tank: Same old POS
- Shark Bait: Sleeping Operator
Like this stuff? Subscribe to the RSS feed.
Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.
Previously in IT Blogwatch:
Free Insider Guide