TechNet Home > TechNet Security > Security Advisories

Microsoft Security Advisory (967940)

Update for Windows Autorun

Published: February 24, 2009 | Updated: August 25, 2009

Version: 1.1

Microsoft is announcing the availability of an update that corrects a functionality feature that can help customers in keeping their systems protected. The update corrects an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected.

When functioning as expected, the NoDriveTypeAutoRun registry key can be used to selectively disable Autorun functionality (e.g. AutoPlay, double click, and contextual menu features associated with Autorun) for drives on a user's system and network. Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file.

We encourage Windows customers to review and install this update. This update is available through automatic updating and from the download center. For more information about this issue, including download links for this non-security update, see Microsoft Knowledge Base Article 967715.

Microsoft has revised this advisory to notify users of an update to Autorun that restricts AutoPlay functionality to CD-ROM and DVD-ROM media. This update is intended to stop AutoPlay functionality from working on USB drives, external hard drives, or network shares. This update is available for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. For more information about this update as well as the download links, see Microsoft Knowledge Base Article 971029.

General Information

Overview

Purpose of Advisory: To provide clarification and notification of the availability of a non-security update to correct the functionality of the NoDriveTypeAutoRun registry key.

Advisory Status: Microsoft Knowledge Base Article and associated update were released.

Recommendation: Review the referenced Knowledge Base Article and apply the appropriate update.

ReferencesIdentification

CVE Reference

CVE-2008-0951

Microsoft Knowledge Base Article

967715

This advisory discusses the following software.

Related Software

Microsoft Windows 2000 Service Pack 4

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista and Windows Vista Service Pack 1*

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1*

Windows Server 2008 for 32-bit Systems*

Windows Server 2008 for x64-based Systems*

Windows Server 2008 for Itanium-based Systems*

*In order to take advantage of the registry key settings that disable Autorun, customers running Windows Vista and Windows Server 2008-based systems must install the security update provided in the MS08-038 (950582) security bulletin.

Top of sectionTop of section

Frequently Asked Questions

What is the scope of the advisory?
This advisory provides notification that the non-security update will also be deployed via automatic updating and will continue to be offered in Microsoft Knowledge Base Article 967715. This update affects the software that is listed in the Overview section.

How do I disable Autorun? 
There are two requirements for a system to disable Autorun capabilities; have one of the updates discussed in this advisory installed and have the appropriate registry key value set for the features of Autorun that are intended to be disabled. See Microsoft Knowledge Base Article 967715 for information about how these updates are distributed as well the specific values required to disable Autorun capabilities for the different versions of the operating systems.

Does this update change my current Autorun settings? 
No. The update does not modify the current Autorun settings on your system. Instead, the update allows users to properly enforce Autorun settings as desired.

Is there a change in user experience after this update is installed? 
After one of the updates discussed in this advisory has been installed, users might notice Autorun features for network drives no longer function. This is because, by default, Autorun on network drives is set to disabled in the registry, and after the update is installed, the previously set registry key to disable Autorun on network drives will be properly enforced. This is the only functionality that will change by default after the update is installed. Users will still need to update the registry key values to disable Autorun functionality for USB and CD-ROM drives.

Is this a security vulnerability that requires Microsoft to issue a security update?
No. Disabling the Autorun feature is an optional configuration that some customers may choose to deploy. This feature is not appropriate for all customers. For more information about this feature and how to appropriately configure it, see Microsoft Knowledge Base Article 967715.

This is a security advisory about a non-security update. Isn’t that a contradiction?
Security advisories address security changes that may not require a security bulletin but may still affect customer’s overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security.

If systems already have the update offered in Knowledge Base Article 953252 installed does this update need to be installed as well?
No. Systems that have installed the update offered in Microsoft Knowledge Base Article 953252 will not need the update offered in Microsoft Knowledge Base Article 967715. Systems with the update offered in Microsoft Knowledge Base Article 953252 installed already have the version of the update that correctly respects the registry keys values to disable Autorun. The update that is offered in Microsoft Knowledge Base Article 967715 contains the same update, but was deployed via automatic updating.

Why are there two places to get this update?
These updates are available in two places due to the way the updates were originally offered. The updates that were offered in Microsoft Knowledge Base Article 953252 were not available from automatic updating (including Automatic Updates, Windows Update, and Windows Server Update Services) and therefore required users to manually find these updates and install them. The updates that are offered in Microsoft Knowledge Base Article 967715 contain the same updates that correctly respect the registry keys values to disable Autorun as in Microsoft Knowledge Base Article 953252, but are being distributed via automatic updating.

If systems already have the updates from Knowledge Base Article 953252 installed will they also be offered updates from Knowledge Base Article 967715?
No. Automatic updating will check to see if the system already contains the fix that correctly respects the registry keys values to disable Autorun capabilities as offered by Microsoft Knowledge Base Article 953252. If the fixed code is present, users will not be reoffered the updates from Microsoft Knowledge Base Article 967715 because, although Microsoft Knowledge Base Article 953252 was not deployed via automatic updating, both the updates contain the same changes.

Do the updates offered in Knowledge Base Article 953252 or Knowledge Base Article 967715 disable Autorun capabilities?
No. The updates that are offered correctly respect the registry keys values to disable Autorun capabilities. These updates do not change the registry key values and will continue to respect values that were already set before either of these updates were installed. If the registry values were not set before installing these updates then the registry key settings will have to be set appropriately in order to disable Autorun capabilities.

Can group policy be used to change the registry settings in order to disable Autorun functionality?
Yes. Systems that have the update installed can manually set the registry Key settings or use group policy in an enterprise environment to disable Autorun capabilities. For more information on how to set these registry settings and the specific values depending on the operating system see Microsoft Knowledge Base Article 967715.

Where are the updates for Windows Vista and Windows Server 2008?
The fix to correct the issue described in this advisory for Windows Vista and Windows Server 2008 was rolled into the update provided by security bulletin MS08-038. In order to take advantage of the registry key settings that disable Autorun, customers running Windows Vista and Windows Server 2008-based systems must install the security update provided in the MS08-038 (950582) security bulletin.

Top of sectionTop of section

Suggested Actions

Review the Microsoft Knowledge Base Article that is associated with this advisory

We encourage customers to install this update. Customers who are interested in learning more about this update should review Microsoft Knowledge Base Article 967715.

For more information about the terminology that appears in this advisory, such as update, see Microsoft Knowledge Base Article 824684.

Top of sectionTop of section

Resources:

You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.

Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support.

International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.

Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions: 

V1.0 (February 24, 2009): Advisory published.

V1.1 (August 25, 2009): Summary revised to notify users of an update to Autorun that restricts AutoPlay functionality to CD-ROM and DVD-ROM media, available for Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 from Microsoft Knowledge Base Article 971029.


Top of pageTop of page