Conflicker Worm - Microsoft's fault or not?

AutoRun patch a long time coming for XP users

Nearly 18 months after it was discovered, Microsoft has finally fixed a hole in the AutoRun function of older Windows versions that allowed viruses to spread via external storage devices.

While it's good to know Microsoft is finally listening to the complaints of the Windows community, the company's delay in applying important patches put our systems at risk unnecessarily.

The more noise customers make, the more likely the problems will be rectified. Most recently, the Conficker worm has been spreading across networks, often entering systems via USB flash drives and other removable media. Shamefully, Microsoft could have — and should have — prevented this massive infection from happening in the first place.

In October 2007, Nick Brown documented in his blog how viruses and worms were entering his network via USB memory sticks. Fast-forward to one year ago. Will Dormann and US-CERT (the United States Computer Emergency Readiness Team) published information on Mar. 20, 2008, confirming that Microsoft's AutoRun advice didn't block threats.

In July 2008, Microsoft released security bulletin MS08-038. The patch in this bulletin made it possible for users to control AutoRun properly, but only on Windows Vista and Server 2008.

So what happened to the equivalent patch for Windows 2000, XP, and Server 2003? In May 2008, Microsoft had in fact released a patch for these systems, which is described in Knowledge Base article 953252. However, as described in a Jan. 22, 2009, Computerworld article, US-CERT found that the fix for XP/2000/2003 had to be applied manually. Furthermore, Microsoft was not making the patch available automatically via any Windows Update service.

It wasn't until Feb. 24 of this year that Microsoft distributed this patch via Windows Update to XP, 2000, and 2003. This is described in the company's security advisory 967940.

Many home and business PC users rarely deploy patches that aren't available through Windows Update, Microsoft Update, or WSUS (Windows Software Update Services). Add to this the confusing and conflicting information about the AutoRun patch, and it's no wonder the Conficker worm, which exploits AutoRun functionality, made the inroads that it did.

You may be wondering why it took Microsoft so long to distribute for XP/2000/2003 users the fix that permits AutoRun to be properly disabled. One clue may be found in the file versions listed in KB article 967715. The Windows Server 2003 files are dated Feb. 10, 2009. Typically, Microsoft doesn't release a fix for one platform if it's still developing a fix for another platform. This is done to avoid putting one set of customers at risk while protecting others.

That's usually a valid reason to wait before distributing patches. But when you open up the files described in the earlier KB article 953252, you find that all the files in that hotfix date back to mid-2008.

Why did it take an admonition from CERT to convince Microsoft to add this vital fix to Automatic Updates for those versions of Windows? To make things even more confusing, the way Microsoft released the XP/2000/2003 fix at the end of February caused many people to think it was an out-of-cycle security patch.

For home users, I'm not yet ready to pull the fire alarm and tell everyone to disable AutoRun. But I do urge you to be very leery of plugging USB flash drives into your system if you're unsure whether they've been used on other computers. Large organizations, however, should consider disabling AutoRun on their networked PCs, considering how hard it's been to stomp out the Conficker worm and others.

So do you think if this patch had been pushed to all Windows users sooner, much of Conficker's pain might have been avoided?