Vulnerability Description
Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code by (1) inserting CD-ROM media, (2) inserting DVD media, (3) connecting a USB device, and (4) connecting a Firewire device; (5) allows user-assisted remote attackers to execute arbitrary code by mapping a network drive; and allows user-assisted attackers to execute arbitrary code by clicking on (6) an icon under My Computer\Devices with Removable Storage and (7) an option in an AutoPlay dialog, related to the Autorun.inf file. NOTE: vectors 1 and 3 on Vista are already covered by CVE-2008-0951.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Windows 2000 | All versions |
| Microsoft | Windows Server 2003 | All versions |
| Microsoft | Windows Server 2008 | All versions |
| Microsoft | Windows Vista | All versions |
| Microsoft | Windows Xp | All versions |
Related Weaknesses (CWE)
References
- http://isc.sans.org/diary.html?storyid=5695
- http://www.securitytracker.com/id?1021629
- http://www.us-cert.gov/cas/techalerts/TA09-020A.htmlUS Government Resource
- http://isc.sans.org/diary.html?storyid=5695
- http://www.securitytracker.com/id?1021629
- http://www.us-cert.gov/cas/techalerts/TA09-020A.htmlUS Government Resource
FAQ
What is CVE-2009-0243?
CVE-2009-0243 is a vulnerability with a CVSS score of 7.2 (HIGH). Microsoft Windows does not properly enforce the Autorun and NoDriveTypeAutoRun registry values, which allows physically proximate attackers to execute arbitrary code by (1) inserting CD-ROM media, (2)...
How severe is CVE-2009-0243?
CVE-2009-0243 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-0243?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Windows 2000, Microsoft Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Vista, Microsoft Windows Xp.