Secure testing team - Feb 2011 - Disabling autorun by default

Just curious whether we should follow Microsoft''s [0] and
Ubuntu''s [1]
lead and make it a policy to disable desktop autorun options by default.
Note that this was one of the flaws that allowed stuxnet to propagate to
network isolated machines.

So far, I''ve only checked xfce, and it has autorun enabled by default.
If there is consensus that this would be a good thing, then I''ll start
submitting bugs.  Not sure if it would be worth pushing this in a point
update for the stable releases also?

Best wishes,
Mike

[0]
http://www.itnews.com.au/News/247616,microsoft-says-rip-windows-xp-autorun.aspx
[1]
http://www.outflux.net/blog/archives/2011/02/11/shaping-the-direction-of-research/

On dim., 2011-02-13 at 23:18 -0500, Michael Gilbert
wrote:
> 
> So far, I''ve only checked xfce, and it has autorun enabled by
default.
> If there is consensus that this would be a good thing, then I''ll
start
> submitting bugs.  Not sure if it would be worth pushing this in a point
> update for the stable releases also?
Fwiw I''ve been considering a chance in xfce for a long time now.
I''ve
made the change in pkg-xfce (for 4.8) already and proposed upstream
(http://bugzilla.xfce.org/show_bug.cgi?id=7261) to change the default
too (not only for security reasons, I find that annoying to have the
thunar window popped up when I plug an usb key).

In our svn
(http://svn.debian.org/wsvn/pkg-xfce/goodies/branches/experimental/thunar-volman/debian/thunar-volman.xml)
I''ve disabled all the enabled-by-default features (so automount for
drives and media, autobrowse and autorun) but that''s open for
discussion (at least for automount, I think the two others should be left
disabled by default).

I don''t think that warrants a DSA but it the RT wants a stable update
for that I can prepare it.

Regards,
-- 
Yves-Alexis

Hi,
* Michael Gilbert <michael.s.gilbert at gmail.com> [2011-02-14
13:03]:
> Just curious whether we should follow Microsoft''s [0] and
Ubuntu''s [1]
> lead and make it a policy to disable desktop autorun options by default.
> Note that this was one of the flaws that allowed stuxnet to propagate to
> network isolated machines.
> 
> So far, I''ve only checked xfce, and it has autorun enabled by
default.
> If there is consensus that this would be a good thing, then I''ll
start
> submitting bugs.
Would be a good thing, definitely.
> Not sure if it would be worth pushing this in a point
> update for the stable releases also?
Doesn''t require DSAs and should''ve happened before the
release. This is
something for the next point update imho.

Cheers
Nico
P.S. Highly recommended kind of related talk:
http://www.shmoocon.org/speakers#usbautorun
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL:
<http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20110214/63142c33/attachment.pgp>