On Tuesday US-CERT, the United States Computer Emergency Readiness Team, warned that the instructions given by Microsoft to disable AutoRun, a protective measure to prevent infection by the "Downadup" worm, are ineffective and erroneous.
AutoRun, when enabled, tells Windows to automatically run any program specified in the "autorun.inf" on a removeable storage device (like s flash drive). "Downadup" creates an autorun.inf file at the root directory of any USB-based device it finds connected to the infected machine. When that removeable storage device is then inserted into another PC, the computer is infected without user interaction.
While Microsoft has recommended, as have security experts, that users disable Autorun as an anti-"Downadup" measure, US-CERT warned
that Microsoft's instructions were flawed.
The Autorun and NoDriveTypeAutorun registry values are both ineffective for fully disabling AutoRun capabilities on Microsoft Windows systems. Setting the Autorun registry value to 0 will not prevent newly connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed. According to Microsoft, setting the NoDriveTypeAutorun registry value to 0xFF "disables Autoplay on all types of drives." Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer.
US-CERT was correct in the former case, but in the latter, if Windows Vista and Server 2008 users have update 950582 installed, the NoDriveTypeAutorun registry key will work as specified. However, disturbingly, as US-CERT indicated in an update, Windows XP, 2000 and Server 2003 users must install the update manually
An obvious feature request for Windows 7: let's make disabling of this functionality something that doesn't require a registry change. Either that, or Microsoft should supply a registry file that users can import into their registry to disable the behavior. For many editing the registry is both too complex and too risky.