As Microsoft diligently prepares to launch Windows 7 it will be working hard to fix all the holes in the OS before its launch; one hole that has yet to be fixed is an exploit using the auto play feature for USB drives.The Register reports the exploit works by creating a malicious autorun.inf file and loading it onto a USB peripheral. When a user accesses the auto play menu it may appear that they are only opening a folder on the USB device when they are actually installing malicious software on their computer.
This exploit currently works on both Windows Vista and Windows 7 beta. Microsoft is still developing Windows 7 so there is a good probability that this hole will be patched when the OS launches sometime later this year.
I guess what they are saying is that the autoplay icon could be an icon of a file folder, but the description would still say "Run Whatever.EXE" so I don't see the problem. This is the kind of thing real-time virus protection is for, which by the way is rumored to be included for free with the Windows Live Pack once Windows 7 comes out!
It will ask you if you want to run the program or not.
Calling this a virus is like saying sometimes when opening a .exe file it could be secretly installing something else, its just the very nature of how it works. I think its unpatchable - but an alternative means of "autoplaying" could be created.
You zip or rar it, send it, he reverses the process. They even made a nifty right click file > zip/rar function around XP time.
Also, "The Register"? Please...
its quite pathetic when somewhat respectable news sites post register articles.
Best comment thus far.
The article is saying that "it may appear that they are only opening a folder on the USB device when they are actually installing malicious software." We all know that if we ask autoplay to run a program from the flash drive it could be a virus. But with this exploit you could be choosing the "Open folder to view files" option from autoplay and still be running a virus.
This could be fixed by making it obvious which autoplay options are the "safe" default Windows options like Open folder, Play video, Import pictures, etc. And warning users when they're choosing an autoplay option that was added by the autorun.inf file on the media itself.
The dialog even says "Install or run program" - and has another "Open folder to view files" option under the "General Options" section. These should be decent clues to careful users, at least.
Last edited by Brandon Live on 21 Jan 2009 - 17:43
http://blog.getpaint.net/2008/11/15/an-exp...not-an-exploit/
You have to click "Allow" in UAC privileges right?
UAC would be required if the exe wanted to do anything that required admin privilege
However, the ability to specify arbitrary text and an arbitrary icon in the AutoPlay dialog makes this kind of social engineering trivially simple. If the payload file were called, say, WindowsExplorer.exe, the user would be prompted by UAC to run WindowsExplorer.exe. And if a way could be found to override the "Publisher not specified" entry on the AutoPlay dialog and/or the "Unknown Publisher" entry on the UAC dialog, the deception would be mighty convincing.
Honestly, this article is a joke and a poor Microsoft bashing attempt. If you want to make this article seem like anything less of a joke, you can start by renaming it "How to avoid being duped by a fake autorun program."
There's nothing wrong with Autorun. It allows the display of a program's name and icon on purpose, so that software can display their own program launchers. That program can choose to display any name and icon it wants, including a folder icon and the name "Open Folder" if it wanted to mislead the user. However, a program CANNOT alter its own application subtitle, it cannot remove the already-default "Open Folder" option from the context menu, and it also cannot bypass the UAC prompt. This method is an attempt to exploit the ignorance of the user, NOT the operating system.
You might have said trojan horse and been closer, but it has nothing to do with emails and credit card information.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.