newsbot
09-06-2010, 05:20 PM
Some folks read Wednesday's post about autorun-worm infected Samsung Wave microSD cards (http://www.f-secure.com/weblog/archives/00001959.html) and commented — thank goodness Windows 7 fixes that issue. Only optical media is allowed to AutoPlay on Windows 7, so USB devices can't spread autorun-worms.
Right?
Well, while Windows 7 does significantly improve the AutoPlay/AutoRun user experience, it isn't bulletproof. There's a small, not likely to be exploited, loophole.
Virtual CDs.
For example, Western Digital USB hard drives ship with Virtual CDs (http://www.f-secure.com/weblog/archives/western_digital_vcd.htm) on board to install WD's SmartWare software.
You can see the CD device here along with the Passport:
http://www.f-secure.com/weblog/archives/Windows_7_Autoplay_01.png
This is how a default Windows XP installation handles the Virtual CD's autorun.inf:
http://www.f-secure.com/weblog/archives/Windows_7_Autoplay_02.png
It just launches the installer program, no questions asked.
Now this is how Windows 7 AutoPlay handles the Virtual CD's autorun.inf:
http://www.f-secure.com/weblog/archives/Windows_7_Autoplay_03.png
The installer on the Virtual CD is the default option, but it doesn't launch.
On the plus side, AutoPlay functionality can easily be turned off in Windows 7:
http://www.f-secure.com/weblog/archives/Windows_7_Autoplay_04.png
Do note that this isn't a Windows 7 vulnerability.
From Microsoft's Security Research & Defense (http://blogs.technet.com/b/srd/archive/2009/04/28/autorun-changes-in-windows-7.aspx) blog: "It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see http://en.wikipedia.org/wiki/U3 for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level."
This is just a curiosity to be aware of — not a flaw.
Bottom-line, don't let Windows 7's improved handling of AutoPlay give you a false sense of security. There are more and more USB drives shipping with Virtual CDs, and sooner or later, one of them will be infected during the manufacturing process. On 04/06/10 At 01:12 PM
**Hidden Content: Check the thread to see hidden data.**
Right?
Well, while Windows 7 does significantly improve the AutoPlay/AutoRun user experience, it isn't bulletproof. There's a small, not likely to be exploited, loophole.
Virtual CDs.
For example, Western Digital USB hard drives ship with Virtual CDs (http://www.f-secure.com/weblog/archives/western_digital_vcd.htm) on board to install WD's SmartWare software.
You can see the CD device here along with the Passport:
http://www.f-secure.com/weblog/archives/Windows_7_Autoplay_01.png
This is how a default Windows XP installation handles the Virtual CD's autorun.inf:
http://www.f-secure.com/weblog/archives/Windows_7_Autoplay_02.png
It just launches the installer program, no questions asked.
Now this is how Windows 7 AutoPlay handles the Virtual CD's autorun.inf:
http://www.f-secure.com/weblog/archives/Windows_7_Autoplay_03.png
The installer on the Virtual CD is the default option, but it doesn't launch.
On the plus side, AutoPlay functionality can easily be turned off in Windows 7:
http://www.f-secure.com/weblog/archives/Windows_7_Autoplay_04.png
Do note that this isn't a Windows 7 vulnerability.
From Microsoft's Security Research & Defense (http://blogs.technet.com/b/srd/archive/2009/04/28/autorun-changes-in-windows-7.aspx) blog: "It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see http://en.wikipedia.org/wiki/U3 for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level."
This is just a curiosity to be aware of — not a flaw.
Bottom-line, don't let Windows 7's improved handling of AutoPlay give you a false sense of security. There are more and more USB drives shipping with Virtual CDs, and sooner or later, one of them will be infected during the manufacturing process. On 04/06/10 At 01:12 PM
**Hidden Content: Check the thread to see hidden data.**