Security Watch

Run, Virus, Run

Autorun disabled on USB and connected devices via update. Plus: IE9 keeps eyes on strangers; Symantec looks at security in Q4.

• By Jabulani Leffall
• 02/15/2011

The blogosphere is buzzing about an Autorun update Redmond just rolled out last Patch Tuesday. Included in this month's patch is this security advisory that gives details on disabling Autorun functionality for all media except CDs and DVDs.

"As portable media devices such as USB memory drives, music players and external hard drives have seen a sharp increase in popularity over the last several years, we have also seen a resurgence in sneakernet attacks, where malware is manually propagated by users carrying rewritable media from network to network," said Joshua Talbot, security intelligence manager, Symantec Security Response.

Usually an update staving off attacks of this kind is a good thing. But apparently it's not a question of whether the update works but how to install it. Gregg Keizer of Computerworld and Paul Thurrott at Windows IT Pro both claim that Microsoft incorrectly stated that "customers with automatic updating enabled will not need to take any action because this update will be downloaded and installed automatically."

Both Keizer and Thurrott say that because the Autorun advisory is not a full-blooded patch and in fact an optional update pushed out through Windows/Microsoft Update, it isn't being installed automatically and needs to be done manually.

For its part and perhaps to avoid such issues entirely (to say nothing of the security threats), Microsoft has gone so far as to obliterate the Autorun feature in Windows 7.

Adam Shostack, Program Manager at Microsoft, said in a recently in a blog post that Redmond didn't want to shut off Autorun "without a conversation," but on the other hand "we believed action should be taken to shut down the misuse."

IE 9 RC Boasts Better Security
Last year in San Francisco, when Internet Explorer 9 beta came out to big fanfare, one of the lauded features was its improved security. Specifically, Dean Hachamovitch, Microsoft's corporate vice president of Internet Explorer, said at the time that a "stranger danger" function would stave off malware and corrupt apps during IE 9 browsing sessions.

Security continues to get better with Internet Explorer 9 Release Candidate.

Aside from integrating the SmartScreen Filter (introduced in IE 8) and Download Manager, which will cross reference trusted sites and non-trusted sites during a session, there's the new "tracking protection list." The TPL is mainly a function to shore up privacy by enabling users to choose to visit only certain Web sites if users click on a link or type in an address. Clicking directly on a link or typing in an actual address of the intended Web site, seems elementary but by doing this the TPL kicks in to help prevent browser activity tracking, used by some advertisers and makers of scareware and "malvertising" from tracking user movements in an IE session.

With all the recent browser-based bugs that have plagued IE 6, 7 and to a lesser extent IE 8, it will be interesting to see how IE 9 security holds up to the brave new world of exploits when it finally ships.

Security software giant Symantec is mighty busy this week as RSA kicks off. In addition to releasing new information on the pesky Stuxnet worm that went all "gangsta" on Windows systems last year, Symantec released their Q4 Symantec Intelligence Quarterly Report during RSA.

Symantec has sees a scary world out there: "The customization of targeted attacks can make them more dangerous than non-targeted attacks because they are tailored explicitly to affect a target group," such as businesses and critical infrastructure such as power plants. According to the company's intelligence, motivations for such customized attacks can range from "stealing confidential information for profit, to interfering with day-to-day operations, to mischief."

One of the more alarming findings is that the possibility of cyber warfare is becoming increasingly real. Symantec says "disruption of critical services, these vulnerabilities may be associated with politically motivated or state-sponsored attacks."