Two Approaches to Securing Autorun and AutoPlay in Windows: Page 3
Touting the Microsoft Line
Despite all of its advantages (recall the third paragraph of this article), the Brown/Atac approach gets no respect.
In the Windows Secrets newsletter, where Scott Dunn recommended it back in 2007, Susan Bradley suggested removing it in March 2009.
She argued that since Microsoft had finally gotten the bugs out of their implementation, Windows users should convert from the Brown/Atac scheme to the Microsoft way. Bradley offers advice on backing out the Brown/Atac changes, installing a patch from Microsoft and three different ways to disable autorun, depending on the version of Windows (unlike the Microsoft approach, the Brown/Atac modification works exactly the same in all versions of Windows).
I'm a big fan of Steve Gibson and his Security Now podcast. But, his March 2009 podcast on autorun was devoid of any mention of the Brown/Atac approach. Somehow his research missed the original article by Nick Brown, Scott Dunn's article, the US-CERT warnings, Leo Notenbooms's article and my previous blogs. Instead, he chose to focus exclusively on the NoDriveTypeAutoRun registry key.
In an indictment of the Microsoft approach, Gibson pointed out that you could follow their published documentation to the letter and still be vulnerable to autorun worms. He found that it was controlled in two different places in the registry and Microsoft only documented one registry location. The location they ignored turns out to over-ride the one they describe. Oops.
He also complains about how Microsoft had just changed the way autorun works, but only for Windows Vista and Server 2008.
"... because of the nature of the way this was done, it ends up being extremely complicated because then they said, well, the problem is, if we push this out, and the behavior changes so that it's now correct, that may break things in a way that people don't want. So we're going to add another registry key to the already convoluted registry key that we'll talk about in a second, and which is still not documented correctly, called Honor Autorun Setting. Which they will default to a 1, meaning true, meaning yes, honor the Autorun setting which we have now fixed so that it really works. But in doing so it may have broken some things. So you now have the option of turning that off, if you want the pre-fixed behavior which sort of worked, but not really."
Brian Krebs, who writes the Security Fix column in the Washington Post also fails to mention the Brown/Atac option. Back in December 2008 he offered advice for disabling autorun that was incomplete, to say the least.
Discussing the Microsoft approach just recently he wrote that "... previous fixes were found to be half-baked, or in some cases the fix wouldn't take." Yet, does not offer an alternative.
Spread the Word
When even well-meaning techies are unaware of, or ignore, the Brown/Atac approach, we need to spread the word. Hopefully this article contributes to that.
In the mean time, you can do yourself a favor and update the registry using the Brown/Atac method. If it doesn't work out, then simply un-do the change. If we can just get more techies on board, Windows users would be safer.