Executive Summary

Summary
Title Update for Windows Autorun
Informations
Name KB967940 First vendor Publication 2009-02-24
Vendor Microsoft Last vendor Modification 2011-02-22
Severity (Vendor) N/A Revision 2.1

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Microsoft is announcing the availability of updates to the Autorun feature that help to restrict AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Restricting AutoPlay functionality to only CD and DVD media can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file.

Microsoft released the following updates related to this advisory.

  • The update released by Microsoft on February 24, 2009:

    Microsoft Knowledge Base Article 967715 describes an update that corrects an issue with the enforcement functionality that is used for disabling Autorun and that can help customers in keeping their systems protected. The update corrects an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected on supported editions of Windows XP and Windows Server 2003. This update is available through automatic updating and from the Microsoft Download Center and may be required on affected systems prior to installing later updates to the Autorun feature.

    Note For all editions of Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008, in order to take advantage of the registry key settings that disable Autorun, customers must install the security update provided in the MS08-038 (950582) security bulletin.
  • The update released by Microsoft on August 25, 2009:

    Microsoft Knowledge Base Article 971029 describes an update to Autorun that restricts AutoPlay functionality to CD and DVD media. This update is intended to stop AutoPlay functionality from working on USB drives, external hard drives, or network shares. This update is available for supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update was originally available only from the Microsoft Download Center.
  • The update released by Microsoft on February 8, 2011:

    The update to Autorun described in Microsoft Knowledge Base Article 971029 is now available via automatic updating. Customers who have already installed the 971029 update manually will not be offered the update and do not need to take additional action.
  • The update released by Microsoft on February 22, 2011:

    Change to the deployment logic for updates described in this advisory. This change in deployment logic is intended to minimize the user interaction required to install the updates on systems configured for automatic updating. With the change, typically no user action will be required to install the updates because automatic updating detects the configuration of the target system, downloads the updates, and installs the updates automatically or on a schedule specified by the user.

    Customers who have already installed the updates previously will not be offered the updates and do not need to take additional action.

General Information

Overview

Purpose of Advisory: To provide clarification and notification of the availability of non-security updates to correct the functionality of the NoDriveTypeAutoRun registry key and restrict the AutoPlay functionality on affected systems. These updates affect the software that is listed in the Related Software table below.

Advisory Status: Microsoft Knowledge Base Articles and associated updates were released.

Recommendation: Review the referenced Knowledge Base Articles and apply the appropriate updates.

ReferencesIdentification
CVE ReferenceCVE-2008-0951
Microsoft Knowledge Base Article967715
971029

This advisory discusses the following software.

Related Software
Microsoft Windows 2000 Service Pack 4[1]
Windows XP Service Pack 2[1] and Windows XP Service Pack 3
Windows XP Professional x64 Edition[1] and Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1[1] and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition[1] and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems[1] and Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista[1][2], Windows Vista Service Pack 1[2], and Windows Vista Service Pack 2
Windows Vista x64 Edition[1][2], Windows Vista x64 Edition Service Pack 1[2], and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems[2] and Windows Server 2008 Service Pack 2
Windows Server 2008 for x64-based Systems[2] and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems[2] and Windows Server 2008 for Itanium-based Systems Service Pack 2

[1]These operating systems are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.

[2]For these operating systems, in order to take advantage of the registry key settings that disable Autorun, customers must install the security update provided in the MS08-038 (950582) security bulletin.

Frequently Asked Questions

Do these updates change my current Autorun settings?
Yes. Although the initial update offered by this advisory did not modify the current Autorun settings on your system (instead, the update allows users to properly enforce Autorun settings as desired), the update to Autorun described in Microsoft Knowledge Base Article 971029 restricts AutoPlay functionality to CD and DVD media.

How is user experience changed after these updates are installed?
After installing the initial update described in Microsoft Knowledge Base Article 967715, the default registry setting to disable Autorun on network drives is properly enforced.

After installing the 971029 update, customers may experience the following AutoPlay behavior:

  • Many existing devices in market, and many upcoming devices, use the Autorun feature with the AutoPlay dialog box to present and install software when DVDs, CDs, and USB flash drives are inserted. The AutoPlay behavior with CD and DVD media is not affected by this update.
  • Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB flash drives. Users will have to manually install the software. To do this, users click Open folder to view the files, browse to the software's setup program, and then double-click the setup program to run the program manually.
  • Some USB flash drives have firmware that present these USB flash drives as CD drives when you insert them into computers. The AutoPlay behavior with these USB flash drives is not affected by this update.

How do I disable Autorun?
There are two requirements for a system to disable Autorun capabilities; have one of the updates discussed in this advisory installed and have the appropriate registry key value set for the features of Autorun that are intended to be disabled. See Microsoft Knowledge Base Article 967715 for information about how these updates are distributed as well the specific values required to disable Autorun capabilities for the different versions of the operating systems.

If systems already have the update offered in Knowledge Base Article 953252 installed, does this update need to be installed as well?
No. Systems that have installed the update offered in Microsoft Knowledge Base Article 953252 will not need the update offered in Microsoft Knowledge Base Article 967715. Systems with the update offered in Microsoft Knowledge Base Article 953252 installed already have the version of the update that correctly respects the registry keys values to disable Autorun. The update that is offered in Microsoft Knowledge Base Article 967715 contains the same update, but was deployed via automatic updating.

If systems already have the updates from Knowledge Base Article 953252 installed, will they also be offered updates from Knowledge Base Article 967715?
No. Automatic updating will check to see if the system already contains the fix that correctly respects the registry keys values to disable Autorun capabilities as offered by Microsoft Knowledge Base Article 953252. If the fixed code is present, users will not be reoffered the updates from Microsoft Knowledge Base Article 967715 because, although Microsoft Knowledge Base Article 953252 was not deployed via automatic updating, both the updates contain the same changes.

Do the updates offered in Knowledge Base Article 953252 or Knowledge Base Article 967715 disable Autorun capabilities?
No. The updates that are offered correctly respect the registry keys values to disable Autorun capabilities. These updates do not change the registry key values and will continue to respect values that were already set before either of these updates were installed. If the registry values were not set before installing these updates then the registry key settings will have to be set appropriately in order to disable Autorun capabilities.

Can group policy be used to change the registry settings in order to disable Autorun functionality?
Yes. Systems that have the update installed can manually set the registry Key settings or use group policy in an enterprise environment to disable Autorun capabilities. For more information on how to set these registry settings and the specific values depending on the operating system see Microsoft Knowledge Base Article 967715.

Where are the updates for Windows Vista and Windows Server 2008?
The fix to correct the issue described in this advisory for Windows Vista and Windows Server 2008 was rolled into the update provided by security bulletin MS08-038. In order to take advantage of the registry key settings that disable Autorun, customers running Windows Vista and Windows Server 2008-based systems must install the security update provided in the MS08-038 (950582) security bulletin.

Suggested Actions

  • Review the Microsoft Knowledge Base Articles that are associated with this advisory

    We encourage customers to install these updates. Customers who are interested in learning more about these updates should review Microsoft Knowledge Base Article 967715 and Microsoft Knowledge Base Article 971029.

    For more information about the terminology that appears in this advisory, such as update, see Microsoft Knowledge Base Article 824684.

Original Source

Url : http://www.microsoft.com/technet/security/advisory/967940.mspx

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-94 Failure to Control Generation of Code ('Code Injection')

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 5

OpenVAS Exploits

Date Description
2009-02-02 Name : Microsoft Autorun Arbitrary Code Execution Vulnerability (08-038)
File : nvt/secpod_ms08-038.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
43434 Microsoft Windows Vista NoDriveTypeAutoRun Auto-Play Bypass