Deeper insight into the Security Advisory 967940 update

18 Feb

Read­ing time: 4 — 6 minutes

Hello!  I am Adam Shostack, a pro­gram man­ager work­ing in TWC secu­rity, and I would like to talk a lit­tle about today’s AutoRun update.   Nor­mally I post on the SDL blog, but of late I have done a lot of work in the clas­si­fi­ca­tion and quan­ti­fy­ing how Win­dows com­put­ers get com­pro­mised.  One thing that came from this analy­sis, the per­cent­age of infected machines with mal­ware using Autorun to propagate.

You may notice that it is a con­vo­luted sen­tence and I apol­o­gize.  Why can’t I just say “infected because of AutoRun?”  Well, because we do not actu­ally know that.  Due to the nature of the prob­lem, it is prob­a­bly not pos­si­ble to acquire a great deal of data about the num­ber of attacks that will suc­ceed by mis­us­ing Autorun.   What we know, and talked about in vol­ume 9 of our Secu­rity Intel­li­gence report last fall that a lot of mal­ware using Autorun as one of sev­eral prop­a­ga­tion mech­a­nisms.  Because of the very real pos­i­tive uses of Autorun will we not just to turn it off with­out a con­ver­sa­tion. We trøde on the other hand, steps must be taken to close the abuse.

In April 2009 we deliv­ered a very pub­lic mes­sage on the Win­dows ecosys­tem that we change behav­ior for Autorun in ways, such as improved secu­rity. We Blogged about the progress of this tran­si­tion, post­ing “AutoRun changes in Win­dows 7″ in April 2009.  In Novem­ber 2009, we posted “Auto­Play Win­dows 7 behav­ior back­ported” and we put out an update to do the same with older oper­at­ing sys­tems. We made this update is avail­able from the Down­load Cen­ter. Be allowed whom you want to update to search it and down­load it your­self. Our part­ners expressed their con­cern about the change, but under­stood the major rea­sons for it.  In the last few years incor­po­rated com­pa­nies nec­es­sary for the func­tion­al­ity U3 func­tion­al­ity in their devices.  Other doc­u­mented change.  Over­all, the tran­si­tion is not sim­ple, but it has worked.

Today we take another impor­tant step to pro­tect our cus­tomers. We put the exist­ing update in Win­dows Update chan­nel.  This change has three impor­tant consequences:

We pro­vide the exist­ing update to many more machines;We make it eas­ier to deploy via WSUS;We help these organ­i­sa­tions as a ques­tion of their pol­icy, only broadly deploy updates in WU.

We are mark­ing this as an “impor­tant non-security update”.  It may seem a lit­tle strange to call this a “non-security update”, espe­cially as we pro­vide it together with our Feb­ru­ary bul­letins.   But at Microsoft we are reserv­ing the term “secu­rity update” is defined as “a broadly released fix for a product-specific secu­rity vul­ner­a­bil­ity.”  And it would be odd to refer to Autorun as a vul­ner­a­bil­ity.  The term is gen­er­ally used, and we use it, means acci­den­tal func­tion­al­ity that allows a per­son to vio­late the secu­rity of the sys­tem.  But Autorun is not an accident–it is by design, and as men­tioned we care about the very real pos­i­tive uses of the func­tion. In other words, in a very real sense, it is not an error, it is a fea­ture and we doc­u­mented it as such.

Nor is it a secu­rity update because secu­rity updates are designed to solve a prob­lem and all known vari­ants.   There are more prob­lem­atic when the “prob­lem” is a func­tion that is used as intended, and so this update will not switch off the func­tion entirely.  It affects, for exam­ple, not “shiny media” such as CDs or DVDs con­tain­ing the Autorun files. We are aware that some­one could write mal­ware to take advan­tage of it, but we have not seen it in the wild. (We also believe mal­ware on Shiny Media would be less likely to have wide­spread impact, because peo­ple burn CDs less often than Insert the USB drive.)

Based on what we’ve learned in the last 22 months and shared in the SIR, now is the right time to bring this update to a broad audi­ence. (MMPC blog today has addi­tional insight into this aspect of this update). At the same time, that we are aware that some cus­tomers pre­fer exist­ing Autorun func­tion­al­ity and to reverse the effects.  Then we have a Fix avail­able that achieve that.

Change the behav­ior of a run­ning sys­tem is never a triv­ial thing, and we take it very seri­ously.  It would be a bad result for peo­ple to think they can do a you dis­tri­b­u­tion between secu­rity and some­thing else.  Updates to pro­tect against vul­ner­a­bil­i­ties is an impor­tant part of keep a sys­tem secure.  We had to be very sure that this change was the right bal­ance for most people.


Related posts: