autopwn

Microsoft have recently released an advisory "Microsoft Security Advisory (2286198)Vulnerability in Windows Shell Could Allow Remote Code Execution" for a new 0-day that is currently being exploited.

While it can be exploited via network or webdav shares, it is removable drives that are the most likely vector for exploitation. A big part of that is our old friend, autorun, that has been the cause of problems before.

If you haven't yet disabled autorun in your organization, I strongly suggest you look into it. Microsoft have some details on how to accomplish this here:

Also I recently stumbled across this little gem from ex-MS (now Amazon) Security guru Steve Riley:

Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.

Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

I hadn't seen that registry key mentioned before, but it looks well worth investigating...

0 Response to "autopwn"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme