Security Now 187

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 187

Security Now 187: Fixing Autorun

News & Errata

08:00 - 14:20

Name - Security Now

14:21 - 17:56

  • Windows updates this week.
  • Still no fix for the Microsoft Excel flaw, rumour is it will be patched out of cycle.
  • Parsing bug in Windows Metafile.

17:57 - 21:55

  • Adobe acrobat V9 has been patched. No patch for any prior versions yet expected around the 18th March, 2009.
  • Rumours are that non Adobe PDF readers, such as Foxit, may also be vulnerable to the same exploit.
  • Disabling JavaScript is no longer a way to prevent this exploit.

21:56 - 22:40

  • Updates for Mozilla software available.

22:41 - 22:59

  • Updates for Opera available.

23:00 - 28:07

  • Updates for Winamp available.
  • Exploiting software is now big business.
  • Foxit Software claims that Foxit Reader is not vulnerable to the Adobe Reader exploit but there is an update available.

28:08 - 30:16

  • All top level .gov DNS servers are now running DNS SEC.

30:17 - 32:32

  • The new tigger trojan specifically targets employees and clients of stock brokers

32:33 - 42:00

  • Conficker worm discovered in November 2008, infected 11.4 million PC's.
  • Now at major version C.
  • Hard to contain as they use an algorithm to determine what domain name to go to on a given day to receive instructions.
  • The original version could deal with 250 domains and researchers had to discover these domains and take them out of service first.
  • The C version increases it to 50,000 domains.
  • Today 3 million IP addresses are contacting these domains a day.
  • The B version spreads through open network shares by trying 240 common passwords and can propagate through USB memory sticks by infecting the autorun.inf file.
  • Until the February update even if autorun was disabled it could still run.

Spinrite Story

42:01 - 46:00
A listener has used Spinrite to fix friends computers but not his. He runs spinrite on his drives quarterly and on new drives before they are put to use. So far he has never had any issues with his drives.

Fixing Autorun

48:33 - 01:09:00

  • Before the update autorun configuration did not work. I.e. even if you disabled it you could force media to autorun.
  • Microsoft never offered the autorun update through windows update for any OS other than Server 2008 and Vista due to fearing it would break a lot of things for people. The B version of the Conficker worm exploiting the problems with autorun prompted them to publish the patch through windows update.
  • "Honour autorun setting = 1" as default after the update so that it still behaves in the old manner even with the update to minimise the amount of things that will break for people.

Auto run is controlled by a registry key called "NoDriveTypeAutorun" and the types that you don't want to autorun for are encoded in bits in the value of this registry key.

  • The 1 hex bit in the value disables Autoplay on drives of unknown type, the hex 80 bit does the same thing.
  • USB and Firewire drives are disabled if the hex 4 bit is set
  • Fixed hard drives are disabled by the hex 8 bit
  • CD-ROMs are governed by the 20 hex bit
  • RAM disks by the 40 hex bit.
  • Microsoft claim if you set the value to FF it disables everything. However this is not true.
  • You also need to set the value to FF in two other places.
  • The key in "current users" overrides any other setting.
  • XP, Vista and Server 2008 set this value to hex 91 as default which means unknown drives and network drives are disabled.
  • Windows 2000 and Server 2003 set this value to hex 95 as default which means unknown drives, network drives and removable drives are disabled.


Disabling autorun:




See Microsoft's Knowledge Base Article KB967715, microsoft provides easy executables to enable/disable autorun.


Nerds On Site


Production Information

Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.

  • Recorded Date: March 11, 2009
  • Release Date: March 12, 2009
  • Duration: 1:10:25
  • Log line:
  • Edited by: Tony
  • Notes: NA