Date: 26 February 2009
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0178 -- [Win]
Update for Windows Autorun
26 February 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition and Windows XP
Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server
2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003
x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems
and Windows Server 2003 with SP2 for Itanium-based
Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition
Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems
Publisher: Microsoft
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CVE-2008-0951
Original Bulletin:
http://www.microsoft.com/technet/security/advisory/967940.mspx
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory (967940)
Update for Windows Autorun
Published: February 24, 2009
Microsoft is announcing the availability of an update that corrects a
functionality feature that can help customers in keeping their systems
protected. The update corrects an issue that prevents the NoDriveTypeAutoRun
registry key from functioning as expected.
When functioning as expected, the NoDriveTypeAutoRun registry key can be used
to selectively disable Autorun functionality (e.g. AutoPlay, double click,
and contextual menu features associated with Autorun) for drives on a user's
system and network. Disabling Autorun functionality can help protect customers
from attack vectors that involve the execution of arbitrary code by Autorun
when inserting a CD-ROM device, USB device, network shares, or other media
containing a file system with an Autorun.inf file.
We encourage Windows customers to review and install this update. This update
is available through automatic updating and from the download center. For more
information about this issue, including download links for this non-security
update, see Microsoft Knowledge Base Article 967715.
General Information
Overview
Purpose of Advisory: To provide clarification and notification of the
availability of a non-security update to correct the functionality of the
NoDriveTypeAutoRun registry key.
Advisory Status: Microsoft Knowledge Base Article and associated update were
released.
Recommendation: Review the referenced Knowledge Base Article and apply the
appropriate update.
References Identification
CVE Reference CVE-2008-0951
Microsoft Knowledge Base Article 967715
This advisory discusses the following software.
Related Software
Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition
Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service
Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server
2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1*
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1*
Windows Server 2008 for 32-bit Systems*
Windows Server 2008 for x64-based Systems*
Windows Server 2008 for Itanium-based Systems*
* In order to take advantage of the registry key settings that disable
Autorun, customers running Windows Vista and Windows Server 2008-based
systems must install the security update provided in the MS08-038 (950582)
security bulletin.
Frequently Asked Questions
What is the scope of the advisory?
This advisory provides notification that the non-security update will also
be deployed via automatic updating and will continue to be offered in
Microsoft Knowledge Base Article 967715. This update affects the software
that is listed in the Overview section.
How do I disable Autorun?
There are two requirements for a system to disable Autorun capabilities; have
one of the updates discussed in this advisory installed and have the
appropriate registry key value set for the features of Autorun that are
intended to be disabled. See Microsoft Knowledge Base Article 967715 for
information about how these updates are distributed as well the specific
values required to disable Autorun capabilities for the different versions of
the operating systems.
Does this update change my current Autorun settings?
No. The update does not modify the current Autorun settings on your system.
Instead, the update allows users to properly enforce Autorun settings as
desired.
Is there a change in user experience after this update is installed?
After one of the updates discussed in this advisory has been installed, users
might notice Autorun features for network drives no longer function. This is
because, by default, Autorun on network drives is set to disabled in the
registry, and after the update is installed, the previously set registry key
to disable Autorun on network drives will be properly enforced. This is the
only functionality that will change by default after the update is installed.
Users will still need to update the registry key values to disable Autorun
functionality for USB and CD-ROM drives.
Is this a security vulnerability that requires Microsoft to issue a security
update?
No. Disabling the Autorun feature is an optional configuration that some
customers may choose to deploy. This feature is not appropriate for all
customers. For more information about this feature and how to appropriately
configure it, see Microsoft Knowledge Base Article 967715.
This is a security advisory about a non-security update. Isnt that a
contradiction?
Security advisories address security changes that may not require a security
bulletin but may still affect customers overall security. Security advisories
are a way for Microsoft to communicate security-related information to
customers about issues that may not be classified as vulnerabilities and may
not require a security bulletin, or about issues for which no security
bulletin has been released. In this case, we are communicating the
availability of an update that affects your ability to perform subsequent
updates, including security updates. Therefore, this advisory does not address
a specific security vulnerability; rather, it addresses your overall security.
If systems already have the update offered in Knowledge Base Article 953252
installed does this update need to be installed as well?
No. Systems that have installed the update offered in Microsoft Knowledge Base
Article 953252 will not need the update offered in Microsoft Knowledge Base
Article 967715. Systems with the update offered in Microsoft Knowledge Base
Article 953252 installed already have the version of the update that correctly
respects the registry keys values to disable Autorun. The update that is
offered in Microsoft Knowledge Base Article 967715 contains the same update,
but was deployed via automatic updating.
Why are there two places to get this update?
These updates are available in two places due to the way the updates were
originally offered. The updates that were offered in Microsoft Knowledge Base
Article 953252 were not available from automatic updating (including Automatic
Updates, Windows Update, and Windows Server Update Services) and therefore
required users to manually find these updates and install them. The updates
that are offered in Microsoft Knowledge Base Article 967715 contain the same
updates that correctly respect the registry keys values to disable Autorun as
in Microsoft Knowledge Base Article 953252, but are being distributed via
automatic updating.
If systems already have the updates from Knowledge Base Article 953252
installed will they also be offered updates from Knowledge Base Article 967715?
No. Automatic updating will check to see if the system already contains the
fix that correctly respects the registry keys values to disable Autorun
capabilities as offered by Microsoft Knowledge Base Article 953252. If the
fixed code is present, users will not be reoffered the updates from Microsoft
Knowledge Base Article 967715 because, although Microsoft Knowledge Base
Article 953252 was not deployed via automatic updating, both the updates
contain the same changes.
Do the updates offered in Knowledge Base Article 953252 or Knowledge Base
Article 967715 disable Autorun capabilities?
No. The updates that are offered correctly respect the registry keys values to
disable Autorun capabilities. These updates do not change the registry key
values and will continue to respect values that were already set before either
of these updates were installed. If the registry values were not set before
installing these updates then the registry key settings will have to be set
appropriately in order to disable Autorun capabilities.
Can group policy be used to change the registry settings in order to disable
Autorun functionality?
Yes. Systems that have the update installed can manually set the registry Key
settings or use group policy in an enterprise environment to disable Autorun
capabilities. For more information on how to set these registry settings and
the specific values depending on the operating system see Microsoft Knowledge
Base Article 967715.
Where are the updates for Windows Vista and Windows Server 2008?
The fix to correct the issue described in this advisory for Windows Vista and
Windows Server 2008 was rolled into the update provided by security bulletin
MS08-038. In order to take advantage of the registry key settings that disable
Autorun, customers running Windows Vista and Windows Server 2008-based systems
must install the security update provided in the MS08-038 (950582) security
bulletin.
Suggested Actions
Review the Microsoft Knowledge Base Article that is associated with this
advisory
We encourage customers to install this update. Customers who are interested in
learning more about this update should review Microsoft Knowledge Base Article
967715.
For more information about the terminology that appears in this advisory, such
as update, see Microsoft Knowledge Base Article 824684.
Resources:
You can provide feedback by completing the form by visiting Microsoft Help and
Support: Contact Us.
Customers in the United States and Canada can receive technical support from
Microsoft Product Support Services. For more information about available
support options, see Microsoft Help and Support.
International customers can receive support from their local Microsoft
subsidiaries. For more information about how to contact Microsoft for
international support issues, visit International Support.
Microsoft TechNet Security provides additional information about security in
Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty
of any kind. Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Microsoft
Corporation or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
February 24, 2009: Advisory published
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJphf2NVH5XJJInbgRAgUfAJ0V16Ij5tAS+1tgW8IN0GqkdUbq2ACfVE58
1KblNy8WzZRcY5H24yzmrUk=
=k69d
-----END PGP SIGNATURE-----
|