Forgot your password?
typodupeerror
Security IT

Microsoft Kills AutoRun In Windows 340

Posted by samzenpus
from the so-long-farewell-aufedersein-goodbys dept.
aesoteric writes "Microsoft has finally decided to push out an update to disable AutoRun in its XP operating system, a Windows feature that had been increasingly exploited by virus writers over the years. But because Microsoft still sees AutoRun as a feature and not a security hole, it isn't calling its Windows Update a "security update" but rather an "Important, non-security update" — but it effectively disables the AutoRun feature anyway."
This discussion has been archived. No new comments can be posted.

Microsoft Kills AutoRun In Windows

Comments Filter:
  • by Anonymous Coward

    After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!

    • by MrEricSir (398214) on Wednesday February 09, 2011 @09:10PM (#35157822) Homepage

      As long as you never run IE, don't connect your computer to the internet, and never insert external media, then YES!

      • Man, that's too much trouble. Want the surefire way to avoid viruses, rootkits, malware, etc.? Simple: don't plug the damn thing in!

        As long as there are people, there will be such things. Or, if you prefer, as long as there are computers.

    • by 0123456 (636235) on Wednesday February 09, 2011 @10:34PM (#35158426)

      After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!

      The 'autorun on Linux scare' appears to be primarily due to automatically displaying thumbnails of corrupted files which exploit holes in image and video rendering libraries; so Windows is at least as insecure. Windows was far more insecure when it would also happily load a DLL from the USB drive in order to perform that rendering because '.' was first in the DLL search path.

      Plus Ubuntu, at least, now seem to be wrapping the thumbnail generators in Apparmor which makes it far more difficult to exploit.

      • by TheLink (130905)

        That thumbnail stuff sounds similar to the windows "shortcut icon" vulnerability: http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx [microsoft.com]

        Perhaps Microsoft may start sandboxing more of their stuff too.

        IMO Windows and Linux are about the same from an IT security POV.

        By default if you can get a user to run something, all their data can be pwned, and you can also have malware running with the user's full privileges. Things don't have to be like this.

      • There is no need for such tricks with windows. If the autorun.ini specifies a .exe file, Windows would happily run it.
  • Would be nice to have the option to enable/disable the feature..
    • Re:Option? (Score:5, Informative)

      by BradleyUffner (103496) on Wednesday February 09, 2011 @09:10PM (#35157828) Homepage

      Would be nice to have the option to enable/disable the feature..

      It has been an option for as long as I can remember. It used to be one of the first things I turned off after a new install, right after I turned on the display of File Extensions.

      • Re:Option? (Score:5, Insightful)

        by stonewallred (1465497) on Wednesday February 09, 2011 @09:24PM (#35157976)
        One of the most annoying things about Windows. Hiding the file extension by default.
    • by poity (465672)

      The option's been in MS Powertoys since the beginning.

  • by olsmeister (1488789) on Wednesday February 09, 2011 @09:03PM (#35157780)
    If you do not know how to start a piece of software running, or cannot follow some simple directions to do so, you really have no business using a computer in the first place.
    • by haruchai (17472) on Wednesday February 09, 2011 @09:05PM (#35157788)

      You've never worked a helpdesk, have you?

    • by artor3 (1344997)

      Betty Crocker has a FAQ on all the ways you can screw up cooking Hamburger Helper. Would you say the people who need the help have no business eating?

      I'm not entirely joking - it's in the best interest of everyone for companies to make their products accessible to as large a market as possible. In this case, MS probably decided that autorun was doing more harm than good, but the concept (make it as easy as possible to install software) was a good one.

      • by LordNimon (85072) on Wednesday February 09, 2011 @09:48PM (#35158176)

        Betty Crocker has a FAQ on all the ways you can screw up cooking Hamburger Helper. Would you say the people who need the help have no business eating?

        No, I would say they have no business cooking.

      • Betty Crocker has a FAQ on all the ways you can screw up cooking Hamburger Helper. Would you say the people who need the help have no business eating?

        I'm not entirely joking - it's in the best interest of everyone for companies to make their products accessible to as large a market as possible. In this case, MS probably decided that autorun was doing more harm than good, but the concept (make it as easy as possible to install software) was a good one.

        I'd say the person involved needs to save up that Hamburger Helper money and order pizza.

      • by Surt (22457)

        Yes, anyone who can't cook hamburger helper has no business eating.

    • by dnaumov (453672) on Wednesday February 09, 2011 @09:16PM (#35157902)

      For as long as stupid people will continue to have money, computers and operating systems will be made (and sold) to accomodate such people. That's just the way it is.

    • by brusk (135896)
      True in general, but some Windows installation disks do more than just run setup.exe on startup and instead have rather involved scripts in autorun.inf. I had a driver/utility CD for an NAS device that created a menu of the manufacturer's different models via autorun and could not be invoked any other way. Since I had autorun disabled, this was very annoying.
      • Re: (Score:3, Interesting)

        by Anonymous Coward

        This is not a commentary on autorun. This is a commentary on a vendor's piss-poor software quality. If the software could not be invoked any way other than autorun, then the vendor, and not Microsoft, is to blame.

      • by nabsltd (1313397) on Wednesday February 09, 2011 @10:36PM (#35158434)

        True in general, but some Windows installation disks do more than just run setup.exe on startup and instead have rather involved scripts in autorun.inf. I had a driver/utility CD for an NAS device that created a menu of the manufacturer's different models via autorun and could not be invoked any other way

        There is no scripting in AUTORUN.INF...it's really just a very simple INI file. The only thing that could be considered a "script" is the ability to run different programs based on the machine architecture and OS version (controlled by square-bracketed INI section heading tags).

        If you trust a disc, you can just open the AUTORUN.INF file with a text editor and copy what is to the right of "open=" and paste it into the start menu run box and it will do exactly what would have happened if autorun was enabled.

    • by sharkey (16670)
      Too true. How hard is LOAD AUTORUN.EXE,8,1 anyway?
    • by shentino (1139071)

      If you're not a mechanic you have no business driving a car.

      • by Sulphur (1548251)

        If you're not a mechanic you have no business driving a car.

        Obligatory car analogy:

        Imagine a car without an ignition key or similar; a kid might touch something and make it start.

  • by nebaz (453974) on Wednesday February 09, 2011 @09:08PM (#35157810)

    Man, this is just like Sony removing the "Other OS" feature from the PS3. I PAID for Windows XP because of the Auto-Run feature, as I'm sure many others have as well. This is a clear case of bait-and-switch deceptive marketing practicing. I wonder if a legal case could be made...

  • When I insert a USB stick, Windows XP opens an AutoPlay window asking me what action to take. If the autorun.inf file is found, the default choice in the AutoPlay window is to run whatever is in autorun.inf. What now? Does XP completely ignore autorun.inf with this update?
  • XP also has Autoplay which can also be coerced into doing nefarious things. Is that taken care of as well?

  • Unless it's from an infected USB drive I guess...
    • by pz (113803) on Wednesday February 09, 2011 @09:25PM (#35157994) Journal

      Or an infected CD-ROM or DVD, etc. Or the infected ISO you downloaded and mounted as a drive. Or the network drive that was just mounted. Or your MP3 player mounted in UMS mode. Or an infected external drive. Or a CF or SD/SDHC card mounted through a USB adapter. Or ...

      You get the picture. Auto-Run was a bad idea. I'm glad they disabled it.

      • Can anyone say Sony Root Kit? Disabling autorun was a good (if long overdue) idea but it's like closing the barn door after the horses have been let out.
      • it does not impact "shiny media" such as CDs or DVDs that contain Autorun files. We are aware that someone could write malware to take advantage of that, but we haven't seen it in the wild. (We also think malware on shiny media would be less likely to have widespread impact, because people burn CDs less often than they insert USB drives.)

        They are just messing with windows registry settings for autorun [microsoft.com]. Any admin concerned with security has already done this manually since conflicker.

        The only sure way to k [us-cert.gov]

      • by Belial6 (794905)
        Autorun as not a bad idea. It was a very good idea that was badly implemented. For any media, there is no reason that the autorun needed to run an executable. It could have very easily have used an OS supplied splash screen that used an ini to supply text, a graphic and a few launch buttons. That is all most autoruns do anyway. By using the OS's executable, it would have made it as secure as any other application that could display a graphic and text. Since IE was in the OS and could do both, the OS s
  • by Ynot_82 (1023749) on Wednesday February 09, 2011 @09:15PM (#35157888)

    Their CD rootkits won't run automatically

    Bet you there's a super-secret way to re-enable autorun on a specific medium for just such reasons
    (which will be discovered and exploited by malware writers)

  • This is only for things like USB sticks etc. It's not like every CD-ROM that John W. Clueless has ever bought is suddenly going to stop auto-running. From the original source:

    ...so this update does not turn off the feature entirely. For example, it does not impact "shiny media" such as CDs or DVDs that contain Autorun files.

    I for one think this is a sensible thing to do.

    • How about also linking to the original source [technet.com].

      Who reads slashdot TFA:s anyway these days? All they do is linkfuck you into some blogfarm multipage sprawl with regurgitated 'content' from the actual source. Most of the time you have to google the original source: corporate press-release, university research group submission etc. because they can't be bothered to put in an actual hyper-link to their hyper-fucking-document!

      Sincerely TimBL

    • Thank you. This was what I was wondering about and TFA implies CDs and DVDs are also affected.

      I know quite a few people who would be baffled by running a CD manually, though they're competent in other ways. I can just imagine the increase in tech support calls if CDs and DVDs were affected.
  • by Anonymous Coward on Wednesday February 09, 2011 @09:20PM (#35157950)

    This is an update to KB967940 [microsoft.com], regarding the patch offered in KB971029 [microsoft.com] going to automatic updates.

    I had to look up the numbers, so I thought I'd just share, and save anyone else the trouble.

  • by KiloByte (825081) on Wednesday February 09, 2011 @09:36PM (#35158082)

    Interesting that this bugfix was released only for XP. In 7, there's a dialog, but autorun.inf can show anything there, so most users will be just as easily fooled.

    • by Manip (656104) on Thursday February 10, 2011 @02:20AM (#35159592)
      This patch turns XP's autorun into the Windows Vista/7 version. The dialog will appear. Right now on XP programs will launch without any user interaction at all...
  • The thing that boggles my mind is Apple has 'Open "safe" files after downloading' as the default for Safari (and yes, "safe" is in quotation marks in the preferences)! I have to remember to uncheck it every time I use a new Mac.
  • by scdeimos (632778) on Wednesday February 09, 2011 @09:44PM (#35158154)

    Given that PKI (Public Key Infrastructure) has been around longer than Internet Explorer, I could never understand why autorun.inf files weren't signed. Didn't Microsoft learn from all the problems induced by autorun-like behaviours on Amiga and Macintosh?

    Up until about MacOS 8 (I think) the Finder used to automatically execute .CODE resources in files on disk/HDD/CD whenever a new disc came online which is how most Mac viruses got propagated.

    • by Anonymous Coward on Wednesday February 09, 2011 @09:59PM (#35158244)

      As the inventor of AutoRun (Microsoft even contacted me for prior art when they were sued over it) it saddens me to have it killed off like this.

      The original autorunner on the Amiga had a UI element to easily toggle it on/off for a drive, which is about as secure as trusting users not to just click on spyware.exe anyway. You can't protect users from running spyware if they are careless, but you can make it easy for them to control the behavior. Instead Microsoft buried the controls and made it next to impossible to turn off for a particular disk... I think you could disable it by holding shift, or alt, or control, or something. Nobody can remember that and there's no indication that it's working.

      Back in the days of swapping actual disks because there was no HD or it was tiny autorun was an awesome tool, and it's still a nice convenience for users to install drivers, etc. It didn't need to be such a security problem like it was on Windows.

      • Mod parent up. (Even though we can't verify that the parent actually invented AutoRun, it's interesting regardless.)
      • by Pentium100 (1240090) on Thursday February 10, 2011 @12:07AM (#35158948)

        Autorun made some sense when it worked only on CD-ROM disks, though sometimes it still was annoying (start a game, the game asks for the CD, insert the CD and the installer starts - this on slow PCs with little memory and slow CD drives). It did not work on floppies, so maybe someone saw that it would be bad. When USB flash drives replaced floppies in every day use it was only a matter of time before virus writers took advantage of Autorun.

        • by yuhong (1378501)

          When USB flash drives replaced floppies in every day use

          And support for what was renamed AutoPlay was added to XP.

      • Sounds nice, but a little bit nostalgic to me.
        Suppose you do mention that it was an awesome tool and that it's only nice at best these days, but I say, get rid of it. No need really. Pop up a window with the disk, disk image or whatever it might be and let the user decide what to do.
        Works rather well on my mac, it even works really well for my dad now that he's gone over to Mac, and I assure you, he's not that technical.
        • Pop up a window with the disk, disk image or whatever it might be and let the user decide what to do.

          but, but... Microsoft's real customers won't be able to install their copyright "protection" drivers then... you know, Sony et al...

  • by jbeaupre (752124)

    And the villagers rejoiced.

  • by symbolset (646467) * on Wednesday February 09, 2011 @10:26PM (#35158390) Journal

    Will nobody else say it? Ok, I'll say it without inserting some criticism about the timing, the need for this change, or whatever.

    This needed to be done. The patch needed to be the default. The patch is here and it provides an improvement on the Windows experience not only for the Windows users, but for those of us who share an Internet with them.

    So thank you, Microsoft, for doing the right thing.

  • by Culture20 (968837) on Wednesday February 09, 2011 @10:50PM (#35158526)
    non-security updates don't always auto-update. This will remain an attack vector until they declare it a security update.
  • Microsoft had to create autorun because too many people are too stupid to figure out how to navigate somewhere and find the file they need. Seriously.

    A couple of years ago I copied a bunch of files onto a CD for my wife's boss. The next day she calls me from work -- he can't figure out how to access the files (this is a guy with some pretty substantial education). So I say "just tell him to copy the files from the CD to his hard drive". He literally had no idea how to do that. I refused to play along a

  • by Lumpy (12016) on Thursday February 10, 2011 @07:46AM (#35160876) Homepage

    Remove the "hide file extension" stupidity that makes it easy for trojans to get ran.

    Honestly, the manager that green-lighted that feature and continues to make it exist in the OS needs to be fired, tarred, feathered, and then put in stockades so the rest of us can do what we want to him.

Lo! Men have become the tool of their tools. -- Henry David Thoreau

Working...