registry key from functioning as expected.
IT World has covered the update and US-CERT actually issued a security alert about the issue last month - Microsoft Windows Does Not Disable AutoRun Properly. The US-CERT article has guidance on disabling
AUTORUN.INF completely via the IniFileMapping feature - something that Nick Brown covered back in 2007.
There are actually two knowlegebase articles that cover the issue and the update: How to correct “disable Autorun registry key” enforcement in Windows (967715) and How to correct “disable Autorun registry key” enforcement in Windows (953252). You’ll only need to read the first.
On Windows XP/2003 the update does two things - updates SHELL32.DLL and creates the registry value:
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer HonorAutorunSetting. You can download the updates here:
- Update for Windows XP (KB950582)
- Update for Windows Server 2003 x64 Edition (KB950582)
- Update for Windows Server 2003 (KB950582)
- Update for Windows XP x64 Edition (KB950582)
- Update for Windows Server 2003 for Itanium-based Systems (KB950582)
- Update for Windows 2000 (KB950582)
For Windows Vista and Windows Server 2008, this issue was addressed in Microsoft Security Bulletin MS08-038, released July last year. You’ve deployed that update right?
So the question is then, does Autorun have a place in corporate environments? I think the answer is no - a little tradeoff in usability for a big gain in security. Here’s a few interesting articles by Steve Riley and Jesper Johasson on the subject:
- Autorun: good for you?
- More on Autorun
- Security Watch: Island Hopping - The Infectious Allure of Vendor Swag
If we only learn two things from Conficker, they should be patch early and disable Autorun. If you’re not on top of this, you could potentially leave yourself open for a world of hurt.