Microsoft Windows fails to properly handle the NoDriveTypeAutoRun registry value, which may prevent Windows from effectively disabling AutoRun and AutoPlay features.
AutoRun, which was introduced with Windows 95, is a feature that causes Windows to automatically take an action when a removable media device is inserted. For example, when an AutoRun-enabled CD-ROM is inserted, Windows may automatically execute a program on that disc. This also holds true for U3-enabled USB devices, which emulate a CD-ROM device as well as provide USB mass storage capabilities. These devices can automatically execute code when they are inserted into a Windows system. The AutoRun action can also take place when the user clicks the icon for an AutoRun-enabled device. AutoRun is enabled by default in Windows. AutoPlay, which was introduced with Windows XP, extends AutoRun capabilities to also allow a menu to be presented to the user, which lists actions that the user may take. AutoRun and AutoPlay can be disabled by setting the CDRom Autorun registry value to 0 and also setting the NoDriveTypeAutoRun registry value to 0xFF. The NoDriveTypeAutoRun registry value is directly tied to the Group Policy setting for "Turn off Autoplay."
Microsoft Windows fails to properly handle the NoDriveTypeAutoRun registry value. According to Microsoft's documentation, setting NoDriveTypeAutoRun to 0xFF should disable AutoPlay for all types of drives. However, when this registry value is present, Vista enables some AutoPlay features that may not have been enabled prior to setting that registry value. For example, if NoDriveTypeAutoRun is set to 0xFF, Vista may execute a program specified in the Autorun.inf file when the device icon is clicked. Other values for NoDriveTypeAutoRun may also enable certain AutoPlay features in Vista. For Windows versions older than Vista, the NoDriveTypeAutoRun registry value is simply ignored with respect to certain AutoRun features. In other words, setting the value will not put the system at additional risk, but will not disable AutoRun completely.
Microsoft Windows may have some AutoPlay enabled, even though the Group Policy Editor and associated registry values indicate otherwise. This may allow an attacker to cause a user to inadvertently execute arbitrary code on a removable device, such as a USB drive.
Apply an update
This vulnerability was reported by Will Dormann of the CERT/CC. Some details were provided by Jeff Gennari of the CERT/CC. Information about how to disable AutoRun was provided by Nick Brown and Emin Atac
This document was written by Will Dormann.
|Date First Published:||2008-03-20|
|Date Last Updated:||2009-04-14 17:48 UTC|