Tuesday, January 20, 2009

US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA09-020A


Microsoft Windows Does Not Disable AutoRun Properly

Original release date: January 20, 2009
Last revised: --
Source: US-CERT


Systems Affected

* Microsoft Windows


Overview

Disabling AutoRun on Microsoft Windows systems can help prevent the
spread of malicious code. However, Microsoft's guidelines for
disabling AutoRun are not fully effective, which could be
considered a vulnerability.


I. Description

Microsoft Windows includes an AutoRun feature, which can
automatically run code when removable devices are connected to the
computer. AutoRun (and the closely related AutoPlay) can
unexpectedly cause arbitrary code execution in the following
situations:

* A removable device is connected to a computer. This includes, but
is not limited to, inserting a CD or DVD, connecting a USB or
Firewire device, or mapping a network drive. This connection can
result in code execution without any additional user interaction.

* A user clicks the drive icon for a removable device in Windows
Explorer. Rather than exploring the drive's contents, this action
can cause code execution.

* The user selects an option from the AutoPlay dialog that is
displayed when a removable device is connected. Malicious
software, such as W32.Downadup, is using AutoRun to
spread. Disabling AutoRun, as specified in the CERT/CC
Vulnerability Analysis blog, is an effective way of helping to
prevent the spread of malicious code.

The Autorun and NoDriveTypeAutorun registry values are both
ineffective for fully disabling AutoRun capabilities on Microsoft
Windows systems. Setting the Autorun registry value to 0 will not
prevent newly connected devices from automatically running code
specified in the Autorun.inf file. It will, however, disable Media
Change Notification (MCN) messages, which may prevent Windows from
detecting when a CD or DVD is changed. According to Microsoft,
setting the NoDriveTypeAutorun registry value to 0xFF "disables
Autoplay on all types of drives." Even with this value set, Windows
may execute arbitrary code when the user clicks the icon for the
device in Windows Explorer.


II. Impact

By placing an Autorun.inf file on a device, an attacker may be able
to automatically execute arbitrary code when the device is
connected to a Windows system. Code execution may also take place
when the user attempts to browse to the software location with
Windows Explorer.


III. Solution

Disable AutoRun in Microsoft Windows

To effectively disable AutoRun in Microsoft Windows, import the
following registry value:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

To import this value, perform the following steps:

* Copy the text
* Paste the text into Windows Notepad
* Save the file as autorun.reg
* Navigate to the file location
* Double-click the file to import it into the Windows registry

Microsoft Windows can also cache the AutoRun information from
mounted devices in the MountPoints2 registry key. We recommend
restarting Windows after making the registry change so that any
cached mount points are reinitialized in a way that ignores the
Autorun.inf file. Alternatively, the following registry key may be
deleted:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Once these changes have been made, all of the AutoRun code
execution scenarios described above will be mitigated because
Windows will no longer parse Autorun.inf files to determine which
actions to take. Further details are available in the
CERT/CC Vulnerability Analysis blog. Thanks to Nick Brown and Emin
Atac for providing the workaround.


IV. References

* The Dangers of Windows AutoRun -
<http://www.cert.org/blogs/vuls/2008/04/the_dangers_of_windows_autorun.html>

* US-CERT Vulnerability Note VU#889747 -
<http://www.kb.cert.org/vuls/id/889747>

* Nick Brown's blog: Memory stick worms -
<http://nick.brown.free.fr/blog/2007/10/memory-stick-worms>

* TR08-004 Disabling Autorun -
<http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx>

* How to Enable or Disable Automatically Running CD-ROMs -
<http://support.microsoft.com/kb/155217>

* NoDriveTypeAutoRun -
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/91525.mspx>

* Autorun.inf Entries -
<http://msdn.microsoft.com/en-us/library/bb776823(VS.85).aspx>

* W32.Downadup -
<http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99>

* MS08-067 Worm, Downadup/Conflicker -
<http://www.f-secure.com/weblog/archives/00001576.html>

* Social Engineering Autoplay and Windows 7 -
<http://www.f-secure.com/weblog/archives/00001586.html>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-020A Feedback VU#889747" in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

January 20, 2009: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSXYqQnIHljM+H4irAQL9EAgAwE5XWd+83CTwTl1vAbDW3sNfCaucmj79
VmXJ+GktQorbcp29fktYaQxXZ2A6qBREJ1FfwlM5BT0WftvGppLoQcQO3vbbwEQF
M0VG5xZhTOi8tf4nedBDgDj0ENJBgh6C73G5uZfVatQdFi79TFkf9SVe6xn5BkQm
5kKsly0d/CX/te15zZLd05AJVEVilbZcECUeDVAYDvWcQSkx2OsJFb+WkuWI9Loh
zkB7uOeZFY9bgrC04nr9DPHpaPFd8KCXegsxjqN1nIraaCabfvNamriqyUFHwAhK
sk/DFSjdI6xJ4fXjDQ77wfgLYyTeYQ/b2U/1sqkbOTdCgXqSop5RrA==
=6/cp
-----END PGP SIGNATURE-----

California Fire News - Updates in your mail box

California Fire News - Updates in your mail box

Link to California Fire News - Structure, Wildland, EMS

News: Earthquake - 5.1 Mexico - Baja California - Cabo San Lucas, La paz

Posted: 19 Jan 2009 04:38 PM PST

Earthquake location map

Earthquake Details

Magnitude5.1
Date-Time
Location22.712°N, 111.077°W
Depth10 km (6.2 miles) set by location program
RegionOFF THE COAST OF BAJA CALIFORNIA SUR
Distances
  • 122 km (76 miles) W (261°) from Cabo San Lucas, Baja California Sur, Mexico
  • 148 km (92 miles) WSW (256°) from San Jose del Cabo, Baja California Sur, Mexico
  • 180 km (112 miles) SSW (206°) from La Paz, Baja California Sur, Mexico
  • 1238 km (769 miles) SSE (150°) from Tijuana, Baja California, Mexico
Location Uncertaintyhorizontal +/- 8.8 km (5.5 miles); depth fixed by location program
ParametersNST=121, Nph=121, Dmin=>999 km, Rmss=0.68 sec, Gp=173°,
M-type=body magnitude (Mb), Version=6
Source
  • USGS NEIC (WDCS-D)
Event IDus2009cab7

LAFD: USAR - Collapsed Structure - Korea Town , 4 Injured

Posted: 19 Jan 2009 10:27 AM PST

LAFD - Partial Building Collapse last night in Korea Town Injures 1 - On Sunday, January 18, 2009 at 8:56 PM, 9 Companies of Los Angeles Firefighters, 7 LAFD Rescue Ambulances, 1 Heavy Rescue, 1 Arson Unit, 2 Urban Search and Rescue Units, 1 Hazardous Materials Team, 3 EMS Battalion Captains, 3 Battalion Chief Officer Command Teams, 1 Division Chief Officer Command Team, Emergency Lighting 3, a Building & Safety Inspector, the Red Cross, DOT, DWP, LAPD and a Gas Company Representative, under the direction of Battalion Chief Gary Clark, responded to a reported Collapsed Structure at 1625 S. Westmoreland Av. in the Korea town area.

The first arriving Firefighters on scene found a 30 foot by 25 foot section of a 2 story four-plex, had collapsed at the front of the building. Firefighters were alerted by residents, 3 people were trapped within the rubble and natural gas was leaking. Additional resources, including 2 Urban Search & Rescue teams and Heavy Rescue 56, were immediately requested by the IC. As Firefighters gingerly sifted through the rubble, 2 of the occupants self extricated, while the 3rd needed minimal assistance. Other Firefighters were deployed to shut down disrupted utilities, lessening the hazard to all at the scene.

A Building & Safety Inspector condemned the extensively damaged structure. The building leaned precariously towards an 8 unit exposure to the south, which was evacuated until stabilization efforts could be made to the damaged structure.

There were approximately 86 Firefighters and specialty companies assigned to the incident. One civilian injury was reported: a female, 36, was transported in stable condition with minor injuries to an area hospital. The cause and dollar loss estimate will be determined at the completion of the investigation. 13 displaced residents declined Red Cross assistance opting to stay with other family members.

LAFD ALERT HISTORY
Jan 18, 11:01 pm
From: "[LAFD ALERT]"
Date: Sun, 18 Jan 2009 23:01:28 -0800 (PST)
Local: Sun, Jan 18 2009 11:01 pm
Subject: COLLAPSED STRUCTURE 1/18/2009
*UPDATE: 1625 S. Westmoreland Av.* 3 occupants extricated from rubble. 1 female, 36, tsp'd to area hosp w/ minor inj's. Bldg condemned by Bldg & Safety Insp. Red Cross to assist. - d'Lisa Davies###
*COLLAPSED STRUCTURE* 1625 S. Westmoreland Av.; MAP 634-A5; FS 13; Reported structure collapse. Units on scene assessing damage & possible injuries. No add'l info @ this time.; Ch:7,12 @ -d'Lisa Davies###
LAFD Blog - Link
LAFD Alerts: - Link

Notes: More than 20 people were in the building during the collapse,
The Los Angeles Department of Water and Power and the Gas Co. shut off gas and water after an inspection of the building.

CNN.com

News: Breaking News -- MercuryNews.com

AP Top U.S. News At 8:45 p.m.