Microsoft Kills AutoRun In Windows 340
aesoteric writes "Microsoft has finally decided to push out an update to disable AutoRun in its XP operating system, a Windows feature that had been increasingly exploited by virus writers over the years. But because Microsoft still sees AutoRun as a feature and not a security hole, it isn't calling its Windows Update a "security update" but rather an "Important, non-security update" — but it effectively disables the AutoRun feature anyway."
Re:FP (Score:1, Insightful)
Hopefully Ubuntu will do the same thing now.
Should have never been there. (Score:4, Insightful)
Re:Should have never been there. (Score:5, Insightful)
You've never worked a helpdesk, have you?
Re:Should have never been there. (Score:4, Insightful)
For as long as stupid people will continue to have money, computers and operating systems will be made (and sold) to accomodate such people. That's just the way it is.
Re:Option? (Score:5, Insightful)
Re:How does autorun get you a virus? (Score:5, Insightful)
Or an infected CD-ROM or DVD, etc. Or the infected ISO you downloaded and mounted as a drive. Or the network drive that was just mounted. Or your MP3 player mounted in UMS mode. Or an infected external drive. Or a CF or SD/SDHC card mounted through a USB adapter. Or ...
You get the picture. Auto-Run was a bad idea. I'm glad they disabled it.
AutoRun was always broken (Score:5, Insightful)
Given that PKI (Public Key Infrastructure) has been around longer than Internet Explorer, I could never understand why autorun.inf files weren't signed. Didn't Microsoft learn from all the problems induced by autorun-like behaviours on Amiga and Macintosh?
Up until about MacOS 8 (I think) the Finder used to automatically execute .CODE resources in files on disk/HDD/CD whenever a new disc came online which is how most Mac viruses got propagated.
Re:Should have never been there. (Score:5, Insightful)
Betty Crocker has a FAQ on all the ways you can screw up cooking Hamburger Helper. Would you say the people who need the help have no business eating?
No, I would say they have no business cooking.
Re:Should have never been there. (Score:5, Insightful)
I'd wager he has.
Re:Option? (Score:4, Insightful)
Hiding the filename extension is not a virus vector. Having the OS assume a file is just the type that the name says it is, is the vector whether the extension is hidden or not. Granting execute permissions based on its name rather than its permissions, is a virus vector. Assuming a jpg file is a image format and passing it unchecked to a thumbnail rendering subsystem is a vector, not hiding the jpg extension.
You can hide file extensions in Linux file managers. MacOS hides file extensions. Files with hidden extension are not going to be a vector for you or for Mac users on account of the hidden extension. They don't work that way.
Re:Option? (Score:5, Insightful)
A file name lolcat.jpg.exe is a mighty tempting thing to double click on. Granted, the user is the vector. But then, the OS is not helping by making it easy to dupe people into thinking a file is an image vs an exe.
even if the OS fingerprinted the file instead of relying on the extension, the above scenario doesn't change. the file contents never lied about what the file was. the name was just mis-represented and the OS helped dupe the user into thinking it was an image.
Re:Removing a feature? That I PAID for? (Score:4, Insightful)
Re:7 and Vista still vulnerable (Score:4, Insightful)
The exact set of changes being offered here were a part of Windows 7 from day one. Windows 7 completely ignores the "Open=" entires in any autorun.inf file except for those loaded in devices that claim to be optical media. (So CDs and DVDs will still show the autorun option in the autoplay menu, as will U3 style flash drives, etc)
This is just a patch to older systems to include the same behavior.