Smokey's Security Weblog

veritas odium parit

Windows Vista “NoDriveTypeAutoRun” Security Issue

Windows Vista Security Bypass: AutoPlay is a feature designed to immediately begin reading from a drive (e.g. run a setup file) when a media is inserted. According to Microsoft, this feature can be disabled for all drives by setting the value of the “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun” registry key to “0xFF”. However, as Windows Vista fails to properly handle the mentioned registry key, this may still result in programs being executed automatically when a media is inserted even with the registry key value set to “0xFF”.

Successful exploitation may result in execution of arbitrary code, but requires physical access to a vulnerable system or that a user is tricked into inserting a malicious media (e.g. USB device).

Despite the fact this bypass is restricted to local systems you should pay attention to the issue and take appropriate measures, e.g. restricting access to affected systems and not inserting any untrusted media even with the registry key value set to disable AutoPlay for all drives.

Note: there is no patch available for this bypass.

Sources: US-CERT, Secunia.

Advertisements

March 22, 2008 - Posted by | Alerts, Friends, Recommended External Security Related Links | , , , , , , ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: