|
|
|
|
Windows Secrets Newsletter • Issue 130 • 2007-11-08 • Circulation: over 275,000
|
|
Contents TOP STORY: One quick trick prevents AutoRun attacks WACKY WEB WEEK: Your life vest clashes with your oxygen mask! LANGALIST PLUS: Part seven: decluttering a PC frees up 6GB WOODY'S WINDOWS: Another batch of indispensable Windows utilities PERIMETER SCAN: Apple's new Leopard OS shows Windows envy YOUR SUBSCRIPTION: How to change your address or unsubscribe |
|
For links to every topic in this issue, scroll down to the
Index |
|
ADS
|
|
TOP STORY One quick trick prevents AutoRun attacks
AutoRun starts Windows programs automatically Every recent version of Windows has features known as AutoPlay and AutoRun. These functions are designed to launch applications automatically from a external device containing the necessary AutoRun information. This is what causes an installer window to pop up when you insert a software disc into your CD or DVD drive, for example, or makes a pop-up menu icon appear in the taskbar tray when you insert a USB flash drive. (In some cases, the action doesn't occur until you double-click the flash drive icon in Windows Explorer.) When a disc is inserted or a drive is connected to your system, Windows looks in the root directory of the new disc or drive for a file named autorun.inf. If found, Windows executes the instructions in that file. For example, an autorun.inf file on a CD might contain a line that reads open=setup.exe. This tells your computer to launch a setup program as soon as the CD is inserted into the drive. However convenient this might be, unfortunately, AutoRun also opens a huge door for viruses, Trojan horses, and worms. All it takes is a USB flash drive with an autorun.inf file and an executable in its root. Once inserted, a worm launched in this manner can infect every disk partition it finds, jumping from computer to computer as network users connect to an infected drive. Shutting down AutoPlay is not a fix In both Windows XP and Vista, the default for USB flash drives is to prompt the user for a decision if autorun.inf tries to launch a program. Inserting a CD or DVD into a drive, however, defaults to running any autorun.inf file that may be present. In XP, you can change the defaults for AutoPlay on a given drive by right-clicking the drive in Windows Explorer and choosing Properties. Click the AutoPlay tab and use the controls there to change the settings for different types of media. Making changes in this dialog box, however, has no effect in preventing autorun.inf from being executed. In Vista, end users can choose one of several options, even for software programs that use autorun.inf: (1) always launch the program, (2) always open a listing of the disc in a Windows Explorer window, (3) always prompt for a choice, or (4) take no action. Unfortunately, none of the above steps can safeguard you against a malicious autorun.inf on removable media. I'm no hacker, but I was able in just a few minutes to make an AutoRun file that would run, even with AutoPlay disabled in XP and "take no action" selected in Vista. The exploit involves creating an autorun.inf file that adds a new default command to a USB flash drive's context menu. If you have "take no action" selected in Vista, the flash drive doesn't automatically launch any programs when first inserted. But double-clicking the flash drive icon in My Computer, for example, is all it takes to launch whatever commands are in autorun.inf (which the attacker has made the default command, in place of Open). The steps are documented at Daily Cup of Tech. A clever hacker could make a worm that (1) spreads itself to all your drives when launched in this manner and then (2) displays the drive contents in a window, as expected. This would make it appear that nothing unusual had happened. Block AutoRun for all devices all the time You might think that you could proect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun. However, self-described "low-budget hacker" Nick Brown points out that these keys can be overridden. A Registry key named MountPoints2 stores information about all USB flash drives and other removable media that have ever been connected to your computer. Brown says this cache overrides the Registry settings that turn off AutoRun. The solution is to globally block autorun.inf files from executing, without trying to use the dialog boxes in XP and Vista to do this. Here's the procedure: Step 1. Start Notepad or another text editor. Step 2. Copy the following text from this page and paste it into your text editor (everything between the square brackets should be all on one line): REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf] @="@SYS:DoesNotExist" Step 3. Save the file with a name like NoAutoRun.reg, taking care to include the .reg extension. Step 4. Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry. The next time you insert a flash drive, CD, DVD, or other removable disc into your system, Windows will not execute the information in any autorun.inf file that may be present. Naturally, taking these steps means that the next time you put a game or installer disc into your CD or DVD drive, its software won't launch automatically. You'll have to open a Windows Explorer window or use a command line to launch the desired executable. The benefit is a big one: a rogue program that you never intended to launch won't silently take over your system if you happen to insert a Trojan-carrying disc into a drive. Have a tip about Windows? Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your tips via the Windows Secrets contact page. Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine's Here's How section. |
|
EDITOR'S BOOKSHELF
|
|
WACKY WEB WEEK Your life vest clashes with your oxygen mask!
|
|
YOUR SUBSCRIPTION The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, plus the week of Thanksgiving and the last two weeks of August and December. Publisher: WindowsSecrets.com LLC, Attn: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine). Editorial Director: Brian Livingston. Editor-at-Large: Fred Langa. Associate Editor: Scott Dunn. Contributing Editors: Susan Bradley, Mark Edwards, Woody Leonhard, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler. Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners. HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page. WE GUARANTEE YOUR PRIVACY: 1. We will never sell, rent, or give away your address to any outside party, ever. 2. We will never send you any unrequested e-mail, besides newsletter updates. 3. All unsubscribe requests are honored immediately, period. Privacy policy HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
|
