Microsoft issues update to fix disabling Autorun

registry key from functioning as expected.

IT World has covered the update and US-CERT actually issued a security alert about the issue last month - Microsoft Windows Does Not Disable AutoRun Properly. The US-CERT article has guidance on disabling AUTORUN.INF completely via the IniFileMapping feature - something that Nick Brown covered back in 2007.

There are actually two knowlegebase articles that cover the issue and the update: How to correct “disable Autorun registry key” enforcement in Windows (967715) and How to correct “disable Autorun registry key” enforcement in Windows (953252). You’ll only need to read the first.

On Windows XP/2003 the update does two things - updates SHELL32.DLL and creates the registry value: HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer HonorAutorunSetting. You can download the updates here:

For Windows Vista and Windows Server 2008, this issue was addressed in Microsoft Security Bulletin MS08-038, released July last year. You’ve deployed that update right?

So the question is then, does Autorun have a place in corporate environments? I think the answer is no - a little tradeoff in usability for a big gain in security. Here’s a few interesting articles by Steve Riley and Jesper Johasson on the subject:

If we only learn two things from Conficker, they should be patch early and disable Autorun. If you’re not on top of this, you could potentially leave yourself open for a world of hurt.