Slashdot Mirror
Microsoft To Disable Autorun
jchrisos writes "Microsoft is planning to disable autorun in the next Release Candidate of Windows 7 and future updates to Windows XP and Vista. In order to maintain a 'balance between security and usability,' non-writable media will maintain its current behavior however. In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction. Will be interesting to see what malware creators do to get around this ..."
Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.
It's been a long time.
Yay!
But now how will people figure out how to play Video Professor or install AOL?
Oh well...
"My cdrom is broke" "It doesn't know there is a cd in there anymore!"
N
Reality is a slackware box running on a 386 tucked away in god's sock drawer.
Since non-writable media such as CD-ROMs generally aren't avenues for malicious software propagation
Because no that's infected ever burns a CD, nope, never.
@ Will be interesting to see what malware creators do to get around this ..."
Attrib -w? Flip the Writeprotect dword in StorageDevicePolicies?
BBH
It is about bloody time too.
It only took Microsoft 14 years to fix this massive security hole.
If I were God, wouldn't I protect my churches from acts of me?
Ok, so I'll just convince Windows 7 my writeable media is notwriteable and it'll autorun my viruses right? Hell, if I can get admin rights to an unopened e-mail, how hard should it be to disguise one media type as another?
I don't think so. Just tell the user to double click the setup.exe icon if it doesn't run automatically. Gotta turn off autorun in the user's brain.
Todos mis movimientos están friamente calculados
Say what you like but I kinda like being able to plug in my digi cam and it automatically pops up the application I use.
Oh well.
Not sure exactly what's doing it, but in my Ubuntu and gNewSense installs:
If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.
Seemed to be pretty sensible really. I mean *I* inserted the CD, so I expect something to happen.
Sony Music has announced a lawsuit against Microsoft using the DMCA, claiming that the new software patch circumvents horribly inadequate copyright protection.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction.
Whoa...! Wait... they had autorun there too?!?! Dear god...
Here be signatures
Didn't Sony install rootkits as part of CD insertion/autoRun? CD-ROMs are a vector for malware.
Also, I remember some website getting sued because they mentioned how to disable autorun, effectively disabling their anti-copy rubbish. So will Microsoft be sued for removing this?
Hmm, are we talking about the upcoming RC on May 5th or will there be more RC for the public? :)
Because Vista is so slow, Microsoft has graciously renamed this feature "auto-walk"
for optical drives. But they don't plan on changing the default autoplay anyway. So why make the change? Security? Come on. malicious software uses autorun because it is currently the easiest way to do this but it will take all of 10 nano seconds before a new way to do this is used.
Not to be a MS basher but all their talk about security is only lip service.
OK fine I do mean to be a MS basher.
Step 1. Create Malware that will tempt people with free Viagra if they re-enable autorun
Step 2. ????
Step 3. Profit!
I don't see the problem so many people are having. In XP+ when you put in a CD/flash/w/e you get a windows menu popup saying do you want to open in the browser or play in your media player or w/e. This seems perfectly reasonable. No code is being executed off the disk so no security hole. If you want the CD to run a splash or w/e it is one click. If you want to browse it one click. And it can be set to remember your answer for different devices. I completely fail to see the problem with that.
If this does mean that they are breaking U3 drives I'm happy for the change mind you.
Vista already prompts users for the desired course of action when removable media is inserted. And yet, users click on the unsafe option anyways. How big a difference will this actually be? Users will have to make a couple extra clicks to open the drive, but chances are once they learn to do that they'll continue making the wrong choice.
Malware authors will just enable it again. If the functionality is still there for non-writable media, then it's probably just a hidden setting away from being there for writable media too.
Admit it. You post strawman arguments as AC so you get modded Insightful for refuting them, rather than Troll
All I can say is WTF, they are just now realizing it's a security risk and instead of disabling it in existing OS's, they're doing it in a beta of the next OS?
Sounds like they're not too sure about it being a risk or not. It's like having 3 sons ages 18, 16, and 14 and realizing condoms might be valuable but then only giving them to the 14 year old.
Security is probably job #10 at Microsoft as marketing rules the day on One Microsoft Way.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
The only time I used autorun when I insert media is to open an explorer folder. Typically in the past on Win95/98/2K I would always disable autorun for CD's & DVDs.
take any USB controller, have it emulate a Human Interface Device (aka keyboard), use it for the keystrokes of "windows, up, up, up, enter, virus-website, enter" and it's game over. you can do the same on Mac, just a tad more difficult.
and it only took them 10 years to figure this out?
Fred Grott(aka shareme) http://mobilebytes.wordpress.com
CD-ROMs could have kept the common "Play button" interface from the beginning. Everyone knew this procedure. You insert a VHS into a VCR, you press play. You insert a cassette tape into a Walkman, you press play. CD into a CD player, press play. When the CD-ROM came out, wouldn't it logically follow to insert the CD-ROM, then press the "Play button" to execute any "autorun" functionality? That way it's a user-initiated event, but one that your entire target audience is already going to be familiar with. And the users who weren't intended on "playing" the CD-ROM don't press they play button and can go about, uninterrupted, copying it or navigating the file system as they intended. It's not a huge deal, but I just find it odd that Microsoft's implementation of "Autorun" was the solution to this "problem" back in the day.
Wonder how sandisk will take this? (U3)
Don't get me wrong, I have a sansa fuze and love it. (FYI, it has native vorbis and flac support, albeit with taking a hit on battery life.) But U3 pissed me off to no end.
Billy Brown rides on. Yolanda Green bypasses Gary White.
Now they need to clear up the processes a bit and it may be decent.
for finally doing the obvious. I was infected twice (I know, shame on me right?) by taking my flash drive to get photos printed at a kiosk. I finally placed a read-only, hidden, blank autorun file of my own on all my flash drives to avoid further infections.
Of course, it's only a matter of time before the next virus I run into undoes the read-only status and overwrites...
What I always wondered was why disabling autorun for "all drives" in Windows XP doesn't stop flash drives from autorunning, only the CD/DVD drive.
Granted the typical user won't even know this can be done, but the first thing I do when installing Windows is disable/uninstall autorun, MSN, IE, system restore, drive indexing, and pretty much any other M$ shyte I can. After that, XP is suite stable and very useable.
War as we knew it was obsolete
Nothing could beat complete denial
- Emily Haines
I've always despised this feature. Here's one example: when you eject a piece of read-only media, and Windows starts screaming at you relentlessly because a program was auto-running in the background from the media you just removed... hate that shit.
grep -iw skynet
They should show an icon for the device/disk on the desktop if they disable autorun, like on os x/linux. People want visual feedback that their crap is doing something, and they dont like to open up windows explorer/my computer.
another good idea is reduce the number of "run on startup" lists to one. theres a billion options for running your stuff on startup. should be just one place.
while im ranting, i hate that i've got two processes in task manager called rundll32.exe that i havent a clue what they do
USB keys are the herpes of office security. The way people stick them in and out of some random computer, then into their computer, then into their co-worker's computer... It's like fucking a prostitute without a condom and then fucking your friends without a condom.
Thank you Microsoft!
Long live the readme.txt.EXE virus
Disabling autorun is not enough for me to trust windows, I'm waiting until they disable run.
"Will be interesting to see what malware creators do to get around this ..."
I bet $20 that you can just set the booktype to DVD-ROM and have it work.
*sigh*
Those axis should have little relationship to one an other.
Security and lip service. Autorun is not ALL they are disabling.
They are disabling access to vista SP2:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9132311
My first thought was that they made this fix, but they "forgot" to involve the various nation's security/intelligence agencies of "fixes" that broke spy tools. So, they need to give the agencies time to "catch up" to ms and "stay ahead" of the rest of us...
Just some wild guessing...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Must be a slow day for the news.
I got a feeling that ideas like this and like the "XP mode" are related to Bill Gates no longer being the CEO.
Your Ad here
My index finger is sore from holding down the shift key on all the Netflix Blu-rays and DVDs I've ripped.
If someone says he and his monkey have nothing to hide, they almost certainly do.
tookthemlongenough
Shoes for Industry. Shoes for the Dead.
I remember back in the 90s, there was a DOS virus called Stealth or something. Back then, 3.5" disks autorun did not exist. However, if you access 3.5" disks infected, then the memory and HDD get infected. Uninfected writeable 3.5" disks would also get infected even if user only type A: and that's it. I don't seee how disabling autorun for today's devices would help.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
letting users choose.
Oh, wait.. we can already do that.
I am the maverick of Slashdot
Those U3 enabled flash drives will STILL autorun. The second partition is made to appear to be a cdrom to windows, which means that windows will still autorun the crap they put on there.
The U3 mounts 2 devices on windows machines. One is your regular USB mass storage but the other is a *read-only* virtual CD drive. Autorun will run just fine.
Social penetration attacks are ridiculous with these. With a few hours, 100$ or so, one can change the firmware of a handful of U3 dongle, leave them lying on the ground in parkings, sidewalks... wait a few hours and you have a good % of those U3 trojans phoning home...
I wonder if this has anything to do with the fact that at least one of the Win7 x64 RC build 7100 ISO's floating around has a trojan infected setup.exe that will autorun on 32bit machine.
It's probably been downloaded 100,000 times by now.
Been noticing this quite a bit lately.
The build works fine though and if you boot from it you can get what appears to be a clean install. Just don't run setup.exe from the root of the iso.
You're probably better off waiting for the official release.
With OS X, almost any one can use a CD or DVD without Autorun. All that's required to install from a CD is the ability to click on the icon in the folder. Mac software do this by setting a background on the Finder window with a large pointer indicating where to click if it requires installation, or an alias to the system Applications folder, where installation means copying the application bundle to the Applications folder. This is by far the most elegant solution.
Why can't Windows 7 do the same? Sure, it still inherits security problems, but at least code requires user interaction to get it going, while CDs can affect computers with rootkits unbeknownst to the user. You know a program that requests UAC or sudo privileges cannot be up to much good if it's on a CD.
When I got a laptop loaded with Everybody's Favourite Operating System (Windows Vista), I just started using its indexing search function to launch apps. For example, if I wanted to launch Windows Live Messenger, I'd type in "messenger" and then press enter. If I wanted to launch Firefox, I'd type in "firefox" and press enter.
I didn't make any active effort to do this; it's just more intuitive for me than using my mouse to browse through the labyrinth of Start Menu items.
I've gotten used to doing this in OS X's Spotlight as well (of course, I'd use Quicksilver if I could, but my experience with Macs is contained within my school).
Does anyone else do this, or is it just me?
I've gotten into the habit of reflexively holding down shift whenever I insert a drive or cdrom, either that or you can just disable it completely.
If there's auto-run material, then prompt for it, similar to a pop-up blocker. That's a good compromise.
Table-ized A.I.
http://blogs.msdn.com/e7/archive/2009/04/27/improvements-to-autoplay.aspx
Although, afaict, that says it will still give you a dialog rather than just silently running.
Billy Brown rides on. Yolanda Green bypasses Gary White.
When did we humans get stuck with the job of finding the actual program we want to run?
When the mouse became faster than hunt and peck typing.
the best way to infect computer is by sending a file saying, "please don't execute this!"
I guess people were trying to say that they thought Microsoft would sacrifice the convenience of autorun for security when pigs fly. Well, I guess swine flew.
With the notable exception of those U3 hacks, Autorun is already disabled on Flash drives, at least in Windows XP and Vista.
However, it remains enabled by default on any other type of removable media, including USB or eSATA-attached hard drives, which is pretty freakin' dumb.
Ultimately, I think this change is pointless. If someone took the action to insert a CD in their PC, and no Autorun pops up, they will go hunting for a file to click on. If there is malicious code on that disc, it will get executed regardless of Autorun being enabled or not, only it will take an extra 10 seconds for the user to find and double-click the offending launcher.
I don't know if any of you guys have seen malware that exploits the use of custom thumbnail images - the one supposed to replace the CD-Rom image on your computer when you insert a particular disc.
Starbucks, Harbuckle of Breath.
Will be confused as hell now.
"I put the disk in and it didn't do anything, it must be broke"
"To play my game i have to open my computer what... ???!!?"
---- Booth was a patriot ----
Microsoft is planning to disable autorun in the next Release Candidate of Windows 7 and force the change onto users of Windows XP and Vista, regardless of their preferences.
They claim that on order to maintain a balance between 'security' and usability, it is necessary to break this imporant feature for most types of media - blatantly ignoring the users preferences.
It will only be a matter of time before malware creators will feast upon users wishes to restore the feature by providing customized 'autorun enable' software to be distributed by email.
Could Microsoft be more blatant in their disregard for the users ability to customize their operating system?
Here's a link to disable autorun on 2k and XP for real. You won't get a prompt for what to do, the system won't try to do anything with a USB key or CD rom or removable drive. I recommend it to anyone who has to put other peoples' USB drives in their systems. http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-Autorun-attacks
Will be interesting to see what malware creators do to get around this ..."
Nekid_girlz.exe
Nuff said
...somebody writes a variant of conficker which dumps a malicious .wmv on your thumb drive to exploit a flaw in windows media player.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Cdrom DWORD AutoRun=0
I have always hated, and immediately deactivated autorun.
I think autorun was one of those Mac ideas that Microsoft copied.
I want to be in control of what my computer does.
Autorun is lame because inserting media DOES NOT mean you want to "run" it right now.
Example: you insert a disk or mount a drive to look at its contents. That's hardly unusual.
All autorun needs to be done only from trusted sources. The program to be run needs to have a cryptographic strength signature. The computer keeps a set of public keys to allow autorun. Microsoft would supply their own key to get this started (which means this computer initially will only autorun anything Microsoft signed). And this applies to the entire media, so if a script runs an executable, the malware perps cannot just substitute the executable. So basically, nothing on the inserted media can be run unless everything on that media is signed, AND signed by the same key (in case it is signed by another key the user has added). Also, these keys need to be kept encrypted with access only by a user passphrase. Any attempt to add a key definitely needs some user prompting. And there is no reason to treat even a non-recordable CD/DVD any differently. Only the boot device gets to run things without a prompt (which does mean there is still exposure for computers in which the media is the first boot device when the user reboots with it left inside ... that's another issue to deal with).
now we need to go OSS in diesel cars
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
Save that to a reg file. Disables autoplay system wide for all devices.
Please see http://technet.microsoft.com/en-us/library/dd349797.aspx
Vulnerability
An attacker with physical access to the computer could insert an Autorun-enabled DVD or CD into the computer that automatically runs a malicious program.
Countermeasure
Configure the NoDriveTypeAutoRun entry to a value of 255, disable Autorun for all drives.
But this was not a decade too late !
but what are these flash drives and optical disks containing viruses that autorun when you plug them in? do they come in the mail like AOL disks?
If disabled Windows can still parse autorun.inf and start the software on the removeable storage by double clicking on your CD-ROM drive. It is still a nice feature for packaging.
So doing it manually reduces the risk of malware infection by this means. Does not eliminate.
So adding a prompt... like already exists in windows (UAC)... for auto-running content from removable media or even network storage for that matter, is all that is needed.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
And they're not removing the feature. They're just making sure the default is "off". It's the sensible thing to do.
If you're secure enough about what's on the disks/pendrives/cameras/network shares you mount to use it then by all means turn it back on. But that ought not be the default because not everybody is at that level.
I'm not one to praise Microsoft usually, but this is a move in the right direction.
Help stamp out iliturcy.
Why stop at autorun? MS should disable automount as well. E.g. One should be able to mount any disc as read only. I have so many UDF disc destroyed just because 3rd party driver fuck up. This should be completely avoidable.
GNOME guys, this is what you get from copying every mistake MS committed. You replicated the worst ideas from your Redmond overlords like automount/autorun as if it was an honorable deed. Now even MS is reverting its mistakes, leaving you alone in a posture like a foolish clown. Gladly I'm no longer a GNOME user.
At first I thought this meant I'd no longer be able to use Num Lock to just run in a direction in World of Warcraft, without having to hold down an arrow key. Imagine my relief when I realized what this was really just about DVD's and stuff.
I was arguing with a coworker why autorun is so dangerous. He said he never had a problem with it. So while he was away from his desk, I modified his USB key with an autorun that changes his desktop background to Unicorns and Rainbows. :-)
that should be interesting, I cant wait untill the release
when is that windows version to be released?
Just a registry value away. Say hello to millions of crapwares that "Fix Autorun". Not to mention malware itself.
If a non-essential feature reduces the security of an operating system the correct default is "don't." This is a non-essential feature. They've done the right thing here.
Go ahead and turn it on. Then if your box gets owned this way they bear less responsibility. It probably won't because if you know enough to turn it on you've probably considered the risks and decided your experience mitigates the problem. But for millions of consumers who don't know enough about the question, making them more aware of the risks by making them change the default is the right thing to do.
And as for malware, if they're downloading it to fix autorun then they're going to do it to speed up their PC or get a funny mouse pointer or screensaver or whatever anyway so this is a spurious argument.
Help stamp out iliturcy.
I've been disabling autorun on XP and 2k for many many years now. gpedit.msc, the group policy editor, is your friend.
Because Personal Computer is a general multi-purpose computational device and its requirement of knowledge to adequately operate is proportional to quantity of available functions in given environment.
or to be short, it is not freaking toilet paper or refrigerator and not relying on automatic execution of unknown, untested and unreliable software is not some advanced technique of its use.
personaly, i sick of that "tool"-excuse every time incompetent monkey fails to push right buttons.
>> The best system is one that just does what you want it to do, without distracting you from your task by making you think about it.
not repeating same thoughts or actions is good thing, not making them at all is a different story.
Just manually create a folder named AUTORUN.INF on your USB stick and no virus could create an autorun.inf file for auto-running.
Something I've actually seen in the wild: a USB flash drive that presents itself to the operating system as a conventional CD-ROM and a harddisk. The "CD-ROM" contained a launcher that searched for the "harddisk" and launched whatever was on it. There was nothing about the flashdrive that indicated it would do that, the only way to learn was the hard way: by plugging it in. So if you ever plan to insert a flash drive from a friend in your computer, disable autorun completely, because the flash drive could be one of these, and if it is, it could be infected with something without you or your friend knowing it.
can't you just have it embedded into the prompt that you can type something like "what" to find out what programs you can run? It's no more intuitive to have to click a series of buttons, really.
Like a prompt that goes something like
User user in Directory directory. Type 'what' for full program list:>
Wake me when they disable "autorun" for E-Mails.
Seriously, when's the last time you heard about 100,000 PCs getting infected by malware on a USB stick?
It's certainly a good step, but the problem it solves pales compared to pretty much everything else that windos has burdened itself with over the past decade or so.
Assorted stuff I do sometimes: Lemuria.org
Disabling AutoRun on flash devices will not make a lot of difference - people still can't help to click on something that says "Click the Button Now!"
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
What about floppy disks? Will the write-protection tab enable autorun?
Sony put a root kit on their write-only CDs.
Software has gone out infected on the media distributed.
>that is definitely a step in the right direction.
I'm no fan of autoplay. But to call this a step in the right direction is stupid.
They're doing this because of the failing security model of Windows, not to be more userfriendly. If Windows was more secure then this would not have been a problem to begin with. Obnoxious yes, problem no.
Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.
This is just as bad on non-writable media. A simple social engineering attack is to send the target company a bunch of free CDs with supposedly something interesting in them, then just wait for some employee to autorun your trojan.
Anyhow I have been doing this for a while, using the TweakUI "powertool" from microsoft to totally disable all forms of autoexecution on all windows computers I touch. Which is sad because automatic default actions can be useful if done correctly. For instance ubuntu opens the folder for me when I insert a data CD, and it starts ripping sofware when I insert a music CD (this is the default, which is cool because ripping it is the only reason I would insert a CD in my computer). XP totally sucks at this, don't know about vista, only booted it twice or so on my laptop since it came pre-installed.
The main problem is Windows inability to differentiate between RUN and OPEN
This is a small step, with little long term value. Fact many shops have already done this mod.
For the new OS we need the ability to define no execute for a mounted removable media, with no execute as the default. Well it would be nice for non removable media too. Folder level would be cool too, so no matter what you drop in it, you can't run it - its just data.
What's next, Microsoft dropping ActiveX?
Apple dropped autoplay last century, even for CDs. There's theoretically a scheme for autoplay for Linux... but nobody sane implements it. Autoplay is one of those things that can not, even in theory, be implemented safely... because what it does is automatically grant full local user execution privileges to any random media you stick in your computer. Once you do that, you're penetrated... and you know what they say about that: "Security is like sex, once you're penetrated you're ****ed".
So I dearly hope you ARE the only one who thinks that it's even potentially a good idea to implement "autoplay" for executable content.
But is autoplay/autorun an automatic turn signal or is it a starter motor?
It's a starter motor that automatically starts the car whenever you get in. This is a great feature most of the time, but when you just wanted to run out to the garage to get your sunglasses out of the glove compartment, it accidentally starts up and asphyxiates everyone in the house.
Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.
This is definiatly a step in the right direction. Autorun might be one of the worst ideas in OS history. In many cases you might just not want to switch a DVD or CD thats in a drive, and if you don't it shouldn't keep popping up reminding you it's in there. The question about this being a step to increase the security is also in the right direction. Although windows will never be truly a "Secure" OS I agree this will start to move in the right direction. Other implementations that might help would be, better user account options, better file system managament and less start up services. After auto run goes I think the next best step is for the system to require the user to build the start up services process. If I have learned anything though the years of being a Linux user (gentoo) it's that the more you leave in the hands of the user the better. Sure the system should have to take care to manage itself and I'm not going to try and take out and argument on that, but I think windows has gone to far and to out there with doing it for the users. I think the truly right move it to slowly start getting windows users to manager there computer and when the user starts to get the right input control to the system it can really start to be a secure OS