Microsoft Kills AutoRun In Windows

aesoteric writes "Microsoft has finally decided to push out an update to disable AutoRun in its XP operating system, a Windows feature that had been increasingly exploited by virus writers over the years. But because Microsoft still sees AutoRun as a feature and not a security hole, it isn't calling its Windows Update a "security update" but rather an "Important, non-security update" — but it effectively disables the AutoRun feature anyway."

XP now more secure than Linux?

[Anonymous Coward]

After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!

Re:XP now more secure than Linux?

[MrEricSir]

As long as you never run IE, don't connect your computer to the internet, and never insert external media, then YES!

Re:

[black6host]

Man, that's too much trouble. Want the surefire way to avoid viruses, rootkits, malware, etc.? Simple: don't plug the damn thing in!

As long as there are people, there will be such things. Or, if you prefer, as long as there are computers.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Neil Boekend]

Servers don't have users who think "oo puppies" and open an executable file conveniently named "dancing_puppies" (add the correct extension) and disables the virusscanner and firewall if it starts to complain. "Shut up firewall, I want to see the puppies!". People even disabled the rights escalation (UAC) in Vista and 7. "I don't want to see another warning when I install stuff, just install it".There may be more security holes in windows, but the biggest hole is the user.
Replace puppies with naked women

Re:XP now more secure than Linux?

[0123456]

After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!

The 'autorun on Linux scare' appears to be primarily due to automatically displaying thumbnails of corrupted files which exploit holes in image and video rendering libraries; so Windows is at least as insecure. Windows was far more insecure when it would also happily load a DLL from the USB drive in order to perform that rendering because '.' was first in the DLL search path.

Plus Ubuntu, at least, now seem to be wrapping the thumbnail generators in Apparmor which makes it far more difficult to exploit.

Re:

[TheLink]

That thumbnail stuff sounds similar to the windows "shortcut icon" vulnerability: http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx [microsoft.com]

Perhaps Microsoft may start sandboxing more of their stuff too.

IMO Windows and Linux are about the same from an IT security POV.

By default if you can get a user to run something, all their data can be pwned, and you can also have malware running with the user's full privileges. Things don't have to be like this.

Re:

[SuricouRaven]

There is no need for such tricks with windows. If the autorun.ini specifies a .exe file, Windows would happily run it.

Option?

[silentphate]

Would be nice to have the option to enable/disable the feature..

Re:Option?

[BradleyUffner]

Would be nice to have the option to enable/disable the feature..

It has been an option for as long as I can remember. It used to be one of the first things I turned off after a new install, right after I turned on the display of File Extensions.

Re:Option?

[stonewallred]

One of the most annoying things about Windows. Hiding the file extension by default.

Re:Option?

[kindbud]

Hiding the filename extension is not a virus vector. Having the OS assume a file is just the type that the name says it is, is the vector whether the extension is hidden or not. Granting execute permissions based on its name rather than its permissions, is a virus vector. Assuming a jpg file is a image format and passing it unchecked to a thumbnail rendering subsystem is a vector, not hiding the jpg extension.

You can hide file extensions in Linux file managers. MacOS hides file extensions. Files with hidden extension are not going to be a vector for you or for Mac users on account of the hidden extension. They don't work that way.

Re:Option?

[Hooya]

A file name lolcat.jpg.exe is a mighty tempting thing to double click on. Granted, the user is the vector. But then, the OS is not helping by making it easy to dupe people into thinking a file is an image vs an exe.

even if the OS fingerprinted the file instead of relying on the extension, the above scenario doesn't change. the file contents never lied about what the file was. the name was just mis-represented and the OS helped dupe the user into thinking it was an image.

Re:Option?

[exomondo]

A file name lolcat.jpg.exe is a mighty tempting thing to double click on. Granted, the user is the vector. But then, the OS is not helping by making it easy to dupe people into thinking a file is an image vs an exe.

If, when UAC pops up to tell the user that the *program* lolcat.jpg.exe is about to make changes to the system, the user still clicks allow/yes/whatever then there's really not much more you can do.

Re:

[SuricouRaven]

The two features that make this attack possible - embedding icons into executables and hiding extensions by default - were both introduced in Windows 95. The countermeasure of UAC wasn't introduced until Windows Vista.

Re:

[Lord Bitman]

I could have sworn the problem there was that "open with default viewer" was activated with the same action as "allow this program to do anything it wants to with my files"

Re:Option?

[QuantumG]

Sigh. On a Mac, my drunken bigoted friend, a Mach-O file renamed to foo.jpg will happily run *because* the operating system dives into the file format to figure out how to run it. If I embed the appropriate icon resource in the file it'll even look like your default image viewer is going to open it, and if I subsequently start that image viewer once I've got control you'll never know it wasn't.

That's the security flaw: you can make an icon look to the user like it will only open up the image viewer, when actually arbitrary code will be executed.

Without file extensions being hidden you see foo.jpg.exe and say "that's an exe, I'm not going to run that", even if it has a friendly jpg icon embedded in it.

Re:Option?

[TheLink]

AFAIK if you download that mach-o file from a website the resulting downloaded file will not be set to executable automatically, and the "victim" cannot run it.

The victim will have to do the equivalent of chmod +x on it first.

On the other hand if you create an appropriate disk image file and set the mimetype to application/x-apple-diskimage OSX will mount the disk automatically. And if you put the right things in that disk image (like a package), OSX will start the OSX "Installer" to install it.

Depending on the situation or what the user does it may even run some "preinstall" or "installation check" scripts you supply with that package.

Re:

[Eponymous Coward]

How long has it been since execute permissions were based on the name? I'm pretty sure that hasn't been true since Windows 2000 and maybe even NT. At least with NTFS.

Re:

[Tacvek]

True, but by default on the NT familly all files have the execute permission. I mean I find the output of "ls --color" to be quite disturbing on Windows (executed via cygwin) because everything is marked executable.

It is also worth pointing out that Windows almost never tries to run anything that does not have an executable suffix. While It is possible, it is very rarely seen. I believe the path search system completely ignores files without an executable suffix, so the full path of such a file needs to be

Stupid question

[spitzak]

Although everybody keeps saying that it will display "MyPhoto.jpg.exe" as "MyPhoto.jpg" and thus mislead people, while I certainly admit it is quite likely, I am confused why the MS defenders don't point out that it should not confuse people because a real "MyPhoto.jpg" would display as "MyPhoto" and thus be different than the bogus file.

Can somebody explain this?

If in fact it deletes the entire ".jpg.exe" it would explain confusion, but then it means MS is using different rules in different parts of the co

Re:

[poity]

The option's been in MS Powertoys since the beginning.

Re:

[account_deleted]

Comment removed based on user account deletion

Should have never been there.

[olsmeister]

If you do not know how to start a piece of software running, or cannot follow some simple directions to do so, you really have no business using a computer in the first place.

Re:Should have never been there.

[haruchai]

You've never worked a helpdesk, have you?

Re:Should have never been there.

[Junior J. Junior III]

I'd wager he has.

Re:

[artor3]

Betty Crocker has a FAQ on all the ways you can screw up cooking Hamburger Helper. Would you say the people who need the help have no business eating?

I'm not entirely joking - it's in the best interest of everyone for companies to make their products accessible to as large a market as possible. In this case, MS probably decided that autorun was doing more harm than good, but the concept (make it as easy as possible to install software) was a good one.

Re:Should have never been there.

[LordNimon]

Betty Crocker has a FAQ on all the ways you can screw up cooking Hamburger Helper. Would you say the people who need the help have no business eating?

No, I would say they have no business cooking.

Re:

[Craig Maloney]

Betty Crocker has a FAQ on all the ways you can screw up cooking Hamburger Helper. Would you say the people who need the help have no business eating?

I'm not entirely joking - it's in the best interest of everyone for companies to make their products accessible to as large a market as possible. In this case, MS probably decided that autorun was doing more harm than good, but the concept (make it as easy as possible to install software) was a good one.

I'd say the person involved needs to save up that Hamburger Helper money and order pizza.

Re:

[Surt]

Yes, anyone who can't cook hamburger helper has no business eating.

Re:Should have never been there.

[dnaumov]

For as long as stupid people will continue to have money, computers and operating systems will be made (and sold) to accomodate such people. That's just the way it is.

Re:

[brusk]

True in general, but some Windows installation disks do more than just run setup.exe on startup and instead have rather involved scripts in autorun.inf. I had a driver/utility CD for an NAS device that created a menu of the manufacturer's different models via autorun and could not be invoked any other way. Since I had autorun disabled, this was very annoying.

Re:

[Anonymous Coward]

This is not a commentary on autorun. This is a commentary on a vendor's piss-poor software quality. If the software could not be invoked any way other than autorun, then the vendor, and not Microsoft, is to blame.

Re:Should have never been there.

[nabsltd]

True in general, but some Windows installation disks do more than just run setup.exe on startup and instead have rather involved scripts in autorun.inf. I had a driver/utility CD for an NAS device that created a menu of the manufacturer's different models via autorun and could not be invoked any other way

There is no scripting in AUTORUN.INF...it's really just a very simple INI file. The only thing that could be considered a "script" is the ability to run different programs based on the machine architecture and OS version (controlled by square-bracketed INI section heading tags).

If you trust a disc, you can just open the AUTORUN.INF file with a text editor and copy what is to the right of "open=" and paste it into the start menu run box and it will do exactly what would have happened if autorun was enabled.

Re:

[sharkey]

Too true. How hard is LOAD AUTORUN.EXE,8,1 anyway?

Re:

[shentino]

If you're not a mechanic you have no business driving a car.

Re:

[Sulphur]

If you're not a mechanic you have no business driving a car.

Obligatory car analogy:

Imagine a car without an ignition key or similar; a kid might touch something and make it start.

Shouldn't that be...

[denzacar]

...a car that would start its engine and ran straight into traffic as soon as anyone sat into it?

It is auto-run after all...

Re:

[0123456]

As surprising as it may seem, some people have better things to do than play with a PC to understand how it all works.

If I may use a car analogy, those are the people who get eaten by inbred cannibal rednecks because they don't know how to change a flat tire.

Removing a feature? That I PAID for?

[nebaz]

Man, this is just like Sony removing the "Other OS" feature from the PS3. I PAID for Windows XP because of the Auto-Run feature, as I'm sure many others have as well. This is a clear case of bait-and-switch deceptive marketing practicing. I wonder if a legal case could be made...

not the same thing this is just takeing away a aut

[Joe The Dragon]

not the same thing this is just taking away auto running you can still run stuff manually and the up date is not forced on you.

Re:not the same thing this is just takeing away a

[Anonymous Coward]

Whoosh.

Re:

[quickOnTheUptake]

Dude thanks for the belly-laugh. I needed that. ;)

Re:

[psithurism]

you can still run stuff manually

Really? If an autorun menu doesn't pop up what do I do? How do I make the CD, y'know do stuff?

and the up date is not forced on you

Microsoft is pushing it on me. I think my computer gets those automatically. I can't make CD work and you want me to stop the whole of Microsoft pushing an update?

I'm suing.

Re:

[ffreeloader]

Trolling? Window update is NOT mandatory. You can choose not to install a specific fix and then it will not prompt you for it in the future. It's not like PS3, where you have to update to play online.

Hmmmm.... Seems you must be unable to recognize sarcasm. And here I thought I was humorless. ;)

Re:Removing a feature? That I PAID for?

[tomhudson]

Trolling? Window update is NOT mandatory. You can choose not to install a specific fix and then it will not prompt you for it in the future. It's not like PS3, where you have to update to play online.

Hmmmm.... Seems you must be unable to recognize sarcasm. And here I thought I was humorless. ;)

[sarcasm] He has auto-sarcasm turned of, you insensitive clod! [/sarcasm]

Re:

[ffreeloader]

LOL. Seems to me you need to learn to recognize the difference between ffreeloader and nebaz. Nebaz is the funny man. I'm the humorless guy that can still recognize sarcasm....

Re:Removing a feature? That I PAID for?

[Belial6]

Autorun is not a bad idea. It has just been badly implemented. MS obviously found it easier to just disable it than to make it secure.

Re:

[LocalH]

Yeah, in a ten-year-old OS. I'd rather the people who might have been implementing a more secure XP Autorun instead do work on W7 or 8.

What about AutoPlay?

[paultwang]

When I insert a USB stick, Windows XP opens an AutoPlay window asking me what action to take. If the autorun.inf file is found, the default choice in the AutoPlay window is to run whatever is in autorun.inf. What now? Does XP completely ignore autorun.inf with this update?

Re:What about AutoPlay?

[The MAZZTer]

According to the MS article thing on it, that won't happen anymore. Autorun only happens for CD/DVD discs now. In fact this update SPECIFICALLY targets thumb drives for disabling autorun (though it affects all non-disc drives).

Re:

[Anachragnome]

"What now?"

The functionality of the following...

"Open up regedit, and go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom
Look for the key 'AutoRun', and toggle between 1 for 'Enable' and 0 for 'Disable'."

will now apply to external drives, but, oddly, the above is STILL not in effect with this update. You still need to do the above if you want to block autorun on CDs/DVDs in a drive. My guess is soooooo many people are used to installers coming up automatically after popping a disc in a drive tha

Re:

[Culture20]

Even that reg setting isn't enough http://it.slashdot.org/comments.pl?sid=1988468&cid=35158612 [slashdot.org]

What about Autoplay

[wiredlogic]

XP also has Autoplay which can also be coerced into doing nefarious things. Is that taken care of as well?

How does autorun get you a virus?

[rsilvergun]

Unless it's from an infected USB drive I guess...

Re:How does autorun get you a virus?

[pz]

Or an infected CD-ROM or DVD, etc. Or the infected ISO you downloaded and mounted as a drive. Or the network drive that was just mounted. Or your MP3 player mounted in UMS mode. Or an infected external drive. Or a CF or SD/SDHC card mounted through a USB adapter. Or ...

You get the picture. Auto-Run was a bad idea. I'm glad they disabled it.

Re:

[shoehornjob]

Can anyone say Sony Root Kit? Disabling autorun was a good (if long overdue) idea but it's like closing the barn door after the horses have been let out.

Re:

[bananaendian]

it does not impact "shiny media" such as CDs or DVDs that contain Autorun files. We are aware that someone could write malware to take advantage of that, but we haven't seen it in the wild. (We also think malware on shiny media would be less likely to have widespread impact, because people burn CDs less often than they insert USB drives.)

They are just messing with windows registry settings for autorun [microsoft.com]. Any admin concerned with security has already done this manually since conflicker.

The only sure way to k [us-cert.gov]

Re:

[Belial6]

Autorun as not a bad idea. It was a very good idea that was badly implemented. For any media, there is no reason that the autorun needed to run an executable. It could have very easily have used an OS supplied splash screen that used an ini to supply text, a graphic and a few launch buttons. That is all most autoruns do anyway. By using the OS's executable, it would have made it as secure as any other application that could display a graphic and text. Since IE was in the OS and could do both, the OS s

Sony will be annoyed

[Ynot_82]

Their CD rootkits won't run automatically

Bet you there's a super-secret way to re-enable autorun on a specific medium for just such reasons
(which will be discovered and exploited by malware writers)

Re:Sony will be annoyed

[Centurix]

Wonder if they've disabled the fetching of custom icon files from the drive as you insert it. Nice place to find buffer overflows.

Re:Sony will be annoyed

[ILuvRamen]

actually the update, which I just downloaded, states in the summary that it disables autorun for all devices except CD and DVD drives. At least it'll kill USB drive viruses and the even worse autolaunching U3 crapware on some USB drives lol.

Re:

[woolpert]

At least it'll kill USB drive viruses and the even worse autolaunching U3 crapware on some USB drives lol.

Nope. U3 "crapware" works because a U3 flash drive mounts with two USB endpoints, one of them identifying itself as a CD drive. All the autorun "magic" of U3 happens from the CD-ROM endpoint.

Still available for CDs and DVDs.

[Kippesoep]

This is only for things like USB sticks etc. It's not like every CD-ROM that John W. Clueless has ever bought is suddenly going to stop auto-running. From the original source:

...so this update does not turn off the feature entirely. For example, it does not impact "shiny media" such as CDs or DVDs that contain Autorun files.

I for one think this is a sensible thing to do.

Re:

[bananaendian]

How about also linking to the original source [technet.com].

Who reads slashdot TFA:s anyway these days? All they do is linkfuck you into some blogfarm multipage sprawl with regurgitated 'content' from the actual source. Most of the time you have to google the original source: corporate press-release, university research group submission etc. because they can't be bothered to put in an actual hyper-link to their hyper-fucking-document!

Sincerely TimBL

Re:

[FrootLoops]

Thank you. This was what I was wondering about and TFA implies CDs and DVDs are also affected.

I know quite a few people who would be baffled by running a CD manually, though they're competent in other ways. I can just imagine the increase in tech support calls if CDs and DVDs were affected.

Knowledge Base references

[Anonymous Coward]

This is an update to KB967940 [microsoft.com], regarding the patch offered in KB971029 [microsoft.com] going to automatic updates.

I had to look up the numbers, so I thought I'd just share, and save anyone else the trouble.

Re:Knowledge Base references

[initialE]

Someone needs to mod this up. Anyway another interesting link: http://blogs.technet.com/b/msrc/archive/2011/02/08/deeper-insight-into-the-security-advisory-967940-update.aspx [technet.com]

Re:Knowledge Base references

[initialE]

Hate to reply to myself, but this http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx [technet.com] needs a read too. It plots the relationship between autorun and malware. Interesting how Microsoft still considers this a "non-security related update", as autorun has been an easy vector with which to poison your windows installation. Important to note that autorun will still work as expected on CD and DVD media, meaning Sony Rootkits are still going to be installed on your computer.

Re:

[bloodhawk]

It is a feature (regardless of how ill thoughtout a feature), disabling that feature shouldn't and doesn't constitute a security update, just like turning off the internet for a user incapable of safely surfing while fantastic for security would also not be considered a security update.

7 and Vista still vulnerable

[KiloByte]

Interesting that this bugfix was released only for XP. In 7, there's a dialog, but autorun.inf can show anything there, so most users will be just as easily fooled.

Re:7 and Vista still vulnerable

[Manip]

This patch turns XP's autorun into the Windows Vista/7 version. The dialog will appear. Right now on XP programs will launch without any user interaction at all...

Re:

[Culture20]

Also, it has always been possible on XP and Server 2003 domains to disable autorun in group policy.

They fixed that then? Because it never really disabled anything. You had to create a GPO to change the registries so that any file named autorun.inf couldn't be accessed. The nuclear option was the only option that worked.

Re:

[Pentium100]

Not always. a year or so ago Windows XP did not completely implement that policy. That is, it would not auto run it, but would still read the autorun.inf file and let it change/replace the context menu and the default behavior when you double click on the drive icon. So a virus could still be unintentionally started by double clicking the drive icon. A registry hack was needed to prevent windows from reading autorun.inf. Later, Microsoft released an update that made Windows work as intended with the autorun

Re:7 and Vista still vulnerable

[Tacvek]

The exact set of changes being offered here were a part of Windows 7 from day one. Windows 7 completely ignores the "Open=" entires in any autorun.inf file except for those loaded in devices that claim to be optical media. (So CDs and DVDs will still show the autorun option in the autoplay menu, as will U3 style flash drives, etc)

This is just a patch to older systems to include the same behavior.

Microsoft's not the only one

[XxtraLarGe]

The thing that boggles my mind is Apple has 'Open "safe" files after downloading' as the default for Safari (and yes, "safe" is in quotation marks in the preferences)! I have to remember to uncheck it every time I use a new Mac.

Re:

[0123456]

On the mac it is opening a file not launching an unknown piece of software. It may not be to your taste but it's not quite the same thing.

It is when that's a PDF file exploiting the latest hole in Adobe's PDF viewer.

Re:

[guruevi]

Does anybody actually use Adobe for PDF? I have to remember to always throw away the plugins from the library folder after installing any CS version because they don't work with Firefox, crash Safari and generally are very slow compared to Preview - loading a 120MB program to view a PDF is idiotic.

AutoRun was always broken

[scdeimos]

Given that PKI (Public Key Infrastructure) has been around longer than Internet Explorer, I could never understand why autorun.inf files weren't signed. Didn't Microsoft learn from all the problems induced by autorun-like behaviours on Amiga and Macintosh?

Up until about MacOS 8 (I think) the Finder used to automatically execute .CODE resources in files on disk/HDD/CD whenever a new disc came online which is how most Mac viruses got propagated.

Re:AutoRun was always broken

[Anonymous Coward]

As the inventor of AutoRun (Microsoft even contacted me for prior art when they were sued over it) it saddens me to have it killed off like this.

The original autorunner on the Amiga had a UI element to easily toggle it on/off for a drive, which is about as secure as trusting users not to just click on spyware.exe anyway. You can't protect users from running spyware if they are careless, but you can make it easy for them to control the behavior. Instead Microsoft buried the controls and made it next to impossible to turn off for a particular disk... I think you could disable it by holding shift, or alt, or control, or something. Nobody can remember that and there's no indication that it's working.

Back in the days of swapping actual disks because there was no HD or it was tiny autorun was an awesome tool, and it's still a nice convenience for users to install drivers, etc. It didn't need to be such a security problem like it was on Windows.

Re:

[FrootLoops]

Mod parent up. (Even though we can't verify that the parent actually invented AutoRun, it's interesting regardless.)

Re:AutoRun was always broken

[Pentium100]

Autorun made some sense when it worked only on CD-ROM disks, though sometimes it still was annoying (start a game, the game asks for the CD, insert the CD and the installer starts - this on slow PCs with little memory and slow CD drives). It did not work on floppies, so maybe someone saw that it would be bad. When USB flash drives replaced floppies in every day use it was only a matter of time before virus writers took advantage of Autorun.

Re:

[yuhong]

When USB flash drives replaced floppies in every day use

And support for what was renamed AutoPlay was added to XP.

Re:

[rallymatte]

Sounds nice, but a little bit nostalgic to me.
Suppose you do mention that it was an awesome tool and that it's only nice at best these days, but I say, get rid of it. No need really. Pop up a window with the disk, disk image or whatever it might be and let the user decide what to do.
Works rather well on my mac, it even works really well for my dad now that he's gone over to Mac, and I assure you, he's not that technical.

Re:

[advocate_one]

Pop up a window with the disk, disk image or whatever it might be and let the user decide what to do.

but, but... Microsoft's real customers won't be able to install their copyright "protection" drivers then... you know, Sony et al...

Yeah

[jbeaupre]

And the villagers rejoiced.

This was a needful thing.

[symbolset]

Will nobody else say it? Ok, I'll say it without inserting some criticism about the timing, the need for this change, or whatever.

This needed to be done. The patch needed to be the default. The patch is here and it provides an improvement on the Windows experience not only for the Windows users, but for those of us who share an Internet with them.

So thank you, Microsoft, for doing the right thing.

non-security updates don't always auto-update

[Culture20]

non-security updates don't always auto-update. This will remain an attack vector until they declare it a security update.

Micorsoft has to accomodate stupidity

[rudy_wayne]

Microsoft had to create autorun because too many people are too stupid to figure out how to navigate somewhere and find the file they need. Seriously.

A couple of years ago I copied a bunch of files onto a CD for my wife's boss. The next day she calls me from work -- he can't figure out how to access the files (this is a guy with some pretty substantial education). So I say "just tell him to copy the files from the CD to his hard drive". He literally had no idea how to do that. I refused to play along a

When do the fix the bigger hole in ALL OS's?

[Lumpy]

Remove the "hide file extension" stupidity that makes it easy for trojans to get ran.

Honestly, the manager that green-lighted that feature and continues to make it exist in the OS needs to be fired, tarred, feathered, and then put in stockades so the rest of us can do what we want to him.

Re:

[gringer]

did you use autorun to post that?

it's not only XP

[story645]

I run vista and I'm installing it right now, using windows update. I think the summary's just bad or people focused on XP 'cause so many of the attacks are geared towards it (the computers at my school get infected all the time through USBs).

Re:

[bky1701]

One might even suggest it wasn't a coincidence, but that would be absurd!

Re:

[Culture20]

It's funny that MS disables this right after this article showed up. [slashdot.org]

I think it's funnier that MS disables it two years after this article. http://tech.slashdot.org/story/09/04/29/2110241/Microsoft-To-Disable-Autorun [slashdot.org]
And years after Microsoft admitted that their suggested methods of disbling autorun didn't really disable autorun at all. http://it.slashdot.org/comments.pl?sid=1038167&cid=25850755 [slashdot.org]

Re:

[LO0G]

Except that TFA says that what MSFT did was to backport the Vista change to XP (which it did two years ago). It's been available for XP all that time. What's changed is that they've collected enough data to make them believe that pushing it to more users is a good thing.

When MSFT first announced they were disabling autorun on Win7, people screamed that the world was going to end. Well, it didn't.

Part of the reason that they were able to make this change is that they've had two years of operational experi

Re:

[shentino]

Blue Pill.

Re:

[Pentium100]

But what's stopping users from navigating to that CD or flash drive and executing the code themselves? Aren't they the ones connecting the devices or putting the disks in their computer in the first place?

Nothing, but a lot of the infections were due to unintentional activations of the virus. Insert flash drive, go to My Computer and double click on the icon, you have a virus. OTOH, some people actually know that they should not double click on executable files if they do not know what the file does.

Re:

[Tacvek]

Creating a fake optical drive requires hardware support. However, it is true that nothing prevents a virus from replacing the U3 drive's ISO with malware, which would then autorun. For some crazy reason, on most U3 drives the ISO is stored in flash and is updatable, although they don't make it particularly easy to discover how to write a new image.

Re:

[Zomalaja]

Don't post as AC, get a nickname. Maybe something with "pompous" in it is available.

Re:

[Lumpy]

You sir are what we call in the IT world as a....

N00B.

Please come back when you actually know something about computers.