NEWS FROM THE LAB - Tuesday, July 20, 2010

Update on Security Advisory 2286198 Posted by Sean @ 09:26 GMT

Microsoft has updated Security Advisory 2286198 and it now clarifies that:

"The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed."

Displayed is the important keyword. This is good and addresses our earlier concerns.

However, the advisory still reads that:

"For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled."

This is still inaccurate. Or at least, it's not accurate enough. We know what Microsoft is trying to say but we think some folks might misinterpret. It would be better to state that AutoPlay functionality for removable disks is automatically LIMITED.

Take a look at our Windows 7 test machine, which was hardened, this is a button in the AutoPlay Control Panel:

Windows 7 AutoPlay defaults

"Reset all defaults."

So we opted to restore the defaults:

Windows 7 AutoPlay defaults

"Use AutoPlay for all media and devices" is now enabled. That's ALL media and devices.

This is the dialog that was presented when a USB flash drive containing multimedia files was inserted into the Windows 7 system:

Windows 7 AutoPlay defaults

The highlighted option is "Open folder to view files."

So what is disabled? AutoPlay? No. Windows 7 AutoPlay isn't disabled, rather, it doesn't include the OPTION to set a default ACTION for removable disks.

But in the case of the LNK vulnerability, one click, and you're at risk, by DEFAULT.

Windows 7 AutoPlay is a significant improvement compared to Windows XP AutoPlay. In fact, it is almost probably a perfect balance of security and functionality… for consumers.

However, businesses and organizations at risk from targeted attacks are a different story. They should fully disable AutoPlay.


As we noted in our previous post, social engineering tricks have targeted AutoPlay.

For example, this is one of Conficker's methods of attack:

Windows 7 AutoPlay and Conficker

Conficker's autorun.inf file used a Windows system folder icon in its efforts to be the first option presented. One click, and you'll launch the autorun.inf. Clever trick, eh?

Here's another theoretical AutoPlay issue (not a vulnerability). USB storage devices can include a partition formated as a Virtual CD.

In this case, the partition is treated as a regular CD by AutoPlay.

Windows 7 AutoPlay and Virtual CD

When we wrote the Virtual CD post back in June, it seemed highly unlikely that we'd see it deliberately used in a targeted attack. We thought it was much more likely to affect someone due to a compromise in the manufacturing process; that the Virtual CD would be infected in the master copy at the factory.

But now, considering the Stuxnet case, which uses a zero-day flaw, signed drivers, and targets Siemens SIMATIC WinCC databases… maybe the idea of a Virtual CD attack isn't so far fetched after all. Clearly there's some very motivated espionage in play.

Bottom line: If you're an IT manager with Windows 7 systems in your network, disable AutoPlay.

Updated to add: Microsoft has updated their advisory. Our latest post has the details.