Windows Secrets

Subscribers: Sign in

Enter your e-mail address to get a free subscription.
We guarantee your privacy
Skip to content
  • Home
  • Newsletter Archives
    • Current
    • LangaList Plus
    • Patch Watch
    • Wacky Web Week
    • Security Baseline
  • E-Books
  • Lounge
  • About us
    • Refunds
    • Privacy Policy
    • Advertise
  • Contact
  • Your Account
    • Upgrade
    • Preferences
    • Bonus Download
    • Unsubscribe
Home>One quick trick prevents AutoRun attacks

Windows Secrets Newsletter • Issue 130 • 2007-11-08 • Circulation: over 400,000

Table of contents 
  • Top Story: One quick trick prevents AutoRun attacks
  • Wacky Web Week: Your life vest clashes with your oxygen mask!
  • LangaList Plus: Part seven: decluttering a PC frees up 6GB
  • Woody's Windows: Another batch of indispensable Windows utilities
  • Perimeter Scan: Apple’s new Leopard OS shows Windows envy
 
Top Story

One quick trick prevents AutoRun attacks

Scott dunn By Scott Dunn

The AutoRun function in Windows can launch installers and other programs automatically when you insert a CD or flash drive, but this convenience poses a serious security risk.

Unfortunately, simply turning off AutoPlay, a separate feature, isn’t enough to prevent AutoRun from introducing a rogue program into your system.

AutoRun starts Windows programs automatically

Every recent version of Windows has features known as AutoPlay and AutoRun. These functions are designed to launch applications automatically from a external device containing the necessary AutoRun information. This is what causes an installer window to pop up when you insert a software disc into your CD or DVD drive, for example, or makes a pop-up menu icon appear in the taskbar tray when you insert a USB flash drive. (In some cases, the action doesn’t occur until you double-click the flash drive icon in Windows Explorer.)

When a disc is inserted or a drive is connected to your system, Windows looks in the root directory of the new disc or drive for a file named autorun.inf. If found, Windows executes the instructions in that file.

For example, an autorun.inf file on a CD might contain a line that reads open=setup.exe. This tells your computer to launch a setup program as soon as the CD is inserted into the drive.

However convenient this might be, unfortunately, AutoRun also opens a huge door for viruses, Trojan horses, and worms. All it takes is a USB flash drive with an autorun.inf file and an executable in its root. Once inserted, a worm launched in this manner can infect every disk partition it finds, jumping from computer to computer as network users connect to an infected drive.

Shutting down AutoPlay is not a fix

In both Windows XP and Vista, the default for USB flash drives is to prompt the user for a decision if autorun.inf tries to launch a program. Inserting a CD or DVD into a drive, however, defaults to running any autorun.inf file that may be present.

In XP, you can change the defaults for AutoPlay on a given drive by right-clicking the drive in Windows Explorer and choosing Properties. Click the AutoPlay tab and use the controls there to change the settings for different types of media. Making changes in this dialog box, however, has no effect in preventing autorun.inf from being executed.

In Vista, end users can choose one of several options, even for software programs that use autorun.inf: (1) always launch the program, (2) always open a listing of the disc in a Windows Explorer window, (3) always prompt for a choice, or (4) take no action.

Unfortunately, none of the above steps can safeguard you against a malicious autorun.inf on removable media. I’m no hacker, but I was able in just a few minutes to make an AutoRun file that would run, even with AutoPlay disabled in XP and “take no action” selected in Vista.

The exploit involves creating an autorun.inf file that adds a new default command to a USB flash drive’s context menu. If you have “take no action” selected in Vista, the flash drive doesn’t automatically launch any programs when first inserted. But double-clicking the flash drive icon in My Computer, for example, is all it takes to launch whatever commands are in autorun.inf (which the attacker has made the default command, in place of Open). The steps are documented at Daily Cup of Tech.

A clever hacker could make a worm that (1) spreads itself to all your drives when launched in this manner and then (2) displays the drive contents in a window, as expected. This would make it appear that nothing unusual had happened.

Block AutoRun for all devices all the time

You might think that you could protect yourself from AutoRun by using two keys in the Registry known as NoDriveAutoRun and NoDriveTypeAutoRun.

However, self-described “low-budget hacker” Nick Brown points out that these keys can be overridden. A Registry key named MountPoints2 stores information about all USB flash drives and other removable media that have ever been connected to your computer. Brown says this cache overrides the Registry settings that turn off AutoRun.

The solution is to globally block autorun.inf files from executing, without trying to use the dialog boxes in XP and Vista to do this. Here’s the procedure:

Step 1. Start Notepad or another text editor.

Step 2. Copy the following text from this page and paste it into your text editor (everything between the square brackets should be all on one line):

REGEDIT4
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIniFileMappingAutorun.inf]
@=”@SYS:DoesNotExist”

 Step 3. Save the file with a name like NoAutoRun.reg, taking care to include the .reg extension.

Step 4. Right-click your .reg file and choose Merge. Confirm any warning prompts to add the information to the Registry.

UPDATE 2009-01-21: As an extra precaution, it’s a good idea to reboot your PC after Step 4, on the off chance that some old information was residing in cache memory.

The next time you insert a flash drive, CD, DVD, or other removable disc into your system, Windows will not execute the information in any autorun.inf file that may be present.

Naturally, taking these steps means that the next time you put a game or installer disc into your CD or DVD drive, its software won’t launch automatically. You’ll have to open a Windows Explorer window or use a command line to launch the desired executable.

The benefit is a big one: a rogue program that you never intended to launch won’t silently take over your system if you happen to insert a Trojan-carrying disc into a drive.

Have a tip about Windows? Readers receive a gift certificate for a book, CD, or DVD of their choice for sending tips we print. Send us your tips via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine’s Here’s How section.
 
Wacky Web Week

Your life vest clashes with your oxygen mask!

Fashionable flight attendant  We’ve all been there. Flying these days has become increasingly drab, with long lines at check-in, privacy violations in the name of national security, and flight delays out on the runway.

Some airline employees are attempting to cure the in-flight blues. The flight attendant in this video might not have been wearing a fabulous uniform designed by J. Lo herself, but his commentary has pizzaz (wait for it — the best bits are a few seconds in). Play the video
 
LangaList Plus

Part seven: decluttering a PC frees up 6GB

Fred langa By Fred Langa

In this column, the seventh in my series on Housecalls across North America, we see just how much space a proper PC housecleaning might free up.

Nearing the end of my cross-country journey, I also take some time to ponder what I’ve accomplished during the trip.

New England homecoming wraps up journey

In the my previous installments, you’ve seen:
  • How to use some free, powerful tools to declutter a PC and speedup boot times;
  • How to resolve an address conflict on a small network;
  • How to test the basic security of an Internet connection;
  • How to reduce the size of areas where enormous numbers of junk files can quietly accumulate;
  • How some popular software can ruin the performance of some PCs;
  • How to reduce fan noise in a PC; and
  • How to get Scheduled Tasks to run properly if you don’t have a login password, something that’s normally required.
If you missed the earlier installments, take a look at Parts One, Two, Three, Four, Five, and Six.

It felt good to enter familiar territory as I rolled into New Hampshire from Toronto. New England has a character all its own, not least in part from the ancient mountains there: the Appalachians were once as mighty as the Himalayas, but half a billion years of wind and water have smoothed the edges and worn the tops so that almost all that’s left are the rounded stumps of once-massive peaks. It’s a stark contrast to the still-jagged aspects of the Rockies, which are relative babies geologically speaking — a full order of magnitude younger than the Appalachians.

Of course, it’s also home to me, and that counts for a lot. And I admit it: I cheated a bit by stopping off at my house before heading to Hillsboro, N.H., for this year’s fourth and final Housecall. After motorbiking across the U.S. for weeks and riding back across Canada pretty much in one long push, the lure of a familiar bed, a long shower, and something other than riding clothes proved irresistible.

Good to be back Figure 1. It’s good to be back (click photos to enlarge). Every part of the continent has its own appeal, but as a New England native, this kind of scene about a mile (1.6 km) from where I live feels most like home to me.


A numerical breakdown of my cross-country ride

When I got home, I pondered some stats:

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Woody's Windows

Another batch of indispensable Windows utilities

Woody leonhard By Woody Leonhard

My Oct. 25 column presented a very short list of the utilities I install on every new Windows XP and Vista computer.

Hundreds of you wrote with suggestions for more must-have Windows utilities, and I’ve found a few that really ring my chimes — read on.

The best of everyone’s favorite tools

In 15 years of writing books, blogs, and magazine and newsletter articles, I’ve never had so much mail!

Hundreds and hundreds of you wrote in, extolling the virtues of Windows add-ins you can’t live without. I’ve had a chance to slice, dice, download, and splice all sorts of new utilities, and I’ve come up with a small handful of real winners — programs that have found a place on all of the computers I feed and care for.

It’s quite remarkable, actually. As mentioned in my last column, I don’t install many new utilities, and I tend to delete after a day or two a fair percentage of the ones I try. Adding to the challenge, I have a distinctly miserly attitude: I greatly prefer free (or donationware) programs, but I can be coerced occasionally into parting with some folding money.

IrfanView displays every image you throw at it

In my rush to play with all the new goodies last time, I overlooked one key utility that’s been part of my bag of tricks for many years.

IrfanView belongs on every PC. Period. I’ve written about it before, on Mar. 2, 2006, and I cover it in all of my books. It’s a fantastic, small, free file viewer/player that displays every kind of file you’ve ever heard of, and many you haven’t.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

 
Perimeter Scan

Apple’s new Leopard OS shows Windows envy

Ryan russell By Ryan Russell

The latest version of Mac OS X is out, and among its new features are a few security additions.

While Apple continues to make fun of problems experienced by Windows users, the Cupertino company is just now catching up to some protective features Windows has had for a while.

Leopard features that are already in Windows

Even as a kid, I used to play the “my computer is better than yours” game. Anyone who has ever watched the “I’m a Mac, I’m a PC” commercials knows that Apple likes to play too.

Funny, as a teenage Apple II owner, I used to be more on Apple’s side. But this is not OS X Secrets, so let me point out to you the security features that you already have as a user of Windows Vista or XP SP2.

First off, let me give you a link to Apple’s official listing of its new security features. I would never begrudge someone better security, so it’s nice to see Apple catching up.

  • Tagging downloaded applications. This has been in Windows since at least Internet Explorer 6.
  • Signed applications. Authenticode 2.0 was introduced with IE 4.
  • Application-based firewall. Introduced with XP SP2. (Apple’s implementation in Leopard has already come under criticism, as evidenced in articles at Heise Security on Oct. 29 and Nov. 11.)
  • Stronger encryption for disk images. Windows EFS has supported 256-bit AES for several years.
  • Enhanced VPN client compatibility. This looks more like a behind-the-scenes feature than a user feature, so I can’t tell exactly what the Windows equivalent is. Of course, Windows is typically the first target for any VPN client, so it might be a moot point.
  • Sharing and collaboration configuration. Sounds just like Active Directory share permissions.
  • Sandboxing. Here we have a feature that I don’t see a built-in Windows equivalent for. Sure, there are things like the Java VM and .NET managed code, but this is a little different. Score one for Apple, if it works well.
  • Multiple user certificates. You can certainty do multiple certificates in Thunderbird, my e-mail client of choice. I believe Outlook can, too, but I’d have to do some experiments to verify that.
  • Enhanced smartcard capabilities. Windows has had good smartcard integration since at least Windows 2000.
  • Library randomization. This was added to Visual Studio 2005 SP1 only a year or so ago, according to Microsoft developer Michael Howard, so Apple’s not too far behind on this one.
  • Windows SMB packet signing. Of course, if Windows didn’t have this in the first place, then OS X wouldn’t need it at all. (The technique digitally signs packets, so an eavesdropper on the network can’t read and/or use the data, as explained in an article by Microsoft security architect Jesper Johannson.)
I can’t help you if you hate Leopard because it’s beautiful. But that’s in the eye of the beholder. The looks don’t do much for me. I don’t have much use for Vista yet, either. But Vista at least adds some new security enhancements, too.

Shatter attacks not ‘fixed’ until Vista

All of the above is not to imply that Microsoft is perfect, of course. I don’t let anyone off the hook.

In a PDF presentation at the 2003 Black Hat Briefings, Chris Paget gave the name “shatter attack” to a class of Windows vulnerabilities. In brief, just about any Windows process can send “messages” to any other, possibly allowing security bypass.

This article is part of our paid content. Subscribe.

Already a paid subscriber? Click here to login.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. We skip an issue on the 5th Thursday of any month, the week of Thanksgiving, and the last two weeks of August and December. Windows Secrets is a continuation of four merged publications: Brian's Buzz on Windows and Woody's Windows Watch in 2004, the LangaList in 2006, and the Support Alert Newsletter in 2008.

Publisher: WindowsSecrets.com, 1218 Third Ave., Suite 1515, Seattle, WA 98101 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor in chief: Tracey Capen. Senior editors: Fred Langa, Woody Leonhard. Copyeditor: Roberta Scholz. Program director: Tony Johnston. Contributing editors: Yardena Arar, Susan Bradley, Scott Dunn, Michael Lasky, Scott Mace, Ryan Russell, Lincoln Spector, Robert Vamosi, Becky Waring. Product manager: Andy Boyd. Advertising director: Eric Gilley.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, Support Alert, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com. All other marks are the trademarks or service marks of their respective owners.

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period.  Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,
  • Visit our Unsubscribe page.
Copyright © 2012 by WindowsSecrets.com. All rights reserved.

Table of contents

Top-scoring articles in the past 12 months
  • Leaving long cookie trails throughout the Web 5.00
  • Windows-like security for Android devices 5.00
  • Win7′s no-reformat, nondestructive reinstall 4.53
  • The sorry tale of the (un)Secure Sockets Layer 4.42
  • RPV: Win7′s least-known data-protection system 4.33
  • Recovery: the last step in total data security 4.30
  • Time for a .NET update we can’t ignore 4.30
  • Getting the most from Windows Search — Part 1 4.25
  • Revising printing habits saves money and trees 4.25
  • Upgrades end in erratic, partial hangs 4.25
  • Pros and cons of a ‘keyfile’ password 4.21
  • Office 2007 gets its final service pack 4.19
  • Putting Registry-/system-cleanup apps to the test 4.19
  • Beating back Duku and a plethora of other threats 4.19
  • One year and 99 security bulletins later 4.18
  • 1.8TB external drive goes down hard 4.17
  • Don’t pay for software you don’t need — Part 3 4.16
  • Internet Explorer gets another round of patches 4.15
  • Is your free AV tool a ‘resource pig?’ 4.15
  • Vacation’s over; it’s a big round of patches 4.15
  • Remote access leads to remote attacks 4.15
  • Keeping you up to date: say no to .NET — again 4.14
  • Take control of Google’s privacy policy settings 4.14
  • Office File Validation patch leads to problems 4.14
  • The advanced system-recover toolkit 4.13
  • New “419″ scam involves PayPal and Western Union 4.12
  • Readers’ best personal-privacy tips 4.11
  • Getting the most from Windows Search — Part 2 4.11
  • Re-examining Dropbox and its alternatives 4.10
  • Easily edit Windows’ right-click context menus 4.09
Connect with us Follow us on Twitter Connect with us on Facebook View our RSS Feeds
  • Home|
  • Newsletter|
  • About Windows Secrets|
  • Advertise with us|
  • Unsubscribe|
  • Sitemap|
  • Affiliates|
Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of iNET Interactive. All other marks are the trademarks or service marks of their respective owners.
iNET Interactive Copyright © 2011 iNET Interactive.
All rights reserved.
Terms of Use  |  Privacy Policy
Internet Services
  • Web Hosting Talk
  • HostingCon
  • Hosting Catalog
  • Host Voice
Web Development
  • Hot Scripts
  • DB Forums
Digital Marketing
  • ABestWeb
  • Search Marketing Standard
  • PayPerClickUniverse
  • SEMCompare
Consumer Tech
  • Windows Secrets
  • Overclockers
  • Mac Forums

Learn more about
advertising opportunities across the iNET Interactive Network.

LiquidWeb