Slashdot Mirror
Microsoft To Disable Autorun
jchrisos writes "Microsoft is planning to disable autorun in the next Release Candidate of Windows 7 and future updates to Windows XP and Vista. In order to maintain a 'balance between security and usability,' non-writable media will maintain its current behavior however. In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction. Will be interesting to see what malware creators do to get around this ..."
CD is read-only, thus not applicable. RTFS.
It's been a long time.
non-writable media will maintain its current behavior however
non writable media will maintain current behavior. pray attention.
CD is read-only, thus not applicable.
It's been a long time.
If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.
That's what Vista does too... I actually really like that behavior. It's almost as convenient as autoplay is, but without the security risk. (Well, for good users.)
This is exactly what Vista does. The problem is that you can customize the icon for the "run" operation, and malware authors got clever and used the folder icon. If you weren't paying attention, you might click the wrong option and install the malware (although there's also a UAC prompt to get through on Vista).
Pay $0.03 more per disc and most of that stops. I've found that there are quite a few discs out there that are too cheap, they just don't work.
My blog. Good stuff (when I remember to update it). Read it.
Activate? The...software?
Eh?
On my U3 drives (both of them), the following would happen upon insertion:
Loading drivers
Found USB hub!
Loading drivers
Found USB mass storage device!
Loading drivers
Found USB CD-ROM!
The drives that appear are as follows:
A regular read/write USB flash drive, empty except for whatever I've put into it
A read-only CD-ROM
After the drivers all load (automatically and without intervention, under most Windowses), it would autorun the virtual CD drive as configured in windows.
Of course, I now have U3 disabled (more because I find no need for it, than because it is somehow evil), but that's how it worked for me.
Kid-proof tablet..
Those U3 enabled flash drives will STILL autorun. The second partition is made to appear to be a cdrom to windows, which means that windows will still autorun the crap they put on there.
Not only that, but this will give sandisk a semi-legit reason to partitions those bloody things. To this day, the ONLY way to get rid of that damn partition is using a windows utility, and that doesn't even work half the time!
As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".
I think Vista's "always autoplay, never autorun" (if I got those names right) scheme works really well.
Autorun does work really well... at installing rootkits on your machine from Sony/BMG CD's.
except that he gave the example of Windows Vista as actually getting things fairly right.
DVD video, CD audio -> autoplay OK
USB/PhotoCD, CD/DVD with just images -> autoplay OK
USB/CD/DVD with autorun specifying an executable -> DO NOT AUTORUN.
Within 'do not autorun' you even get choices...
A. Ask me what the flippant to do
B. Do nothing whatsoever.
Option A is perfectly sane. The only problem is in the presentation. People exploit the fact that one of the usual options is the 'browse disc' thing. They use the same icon, give it the same name, it appears at the top and voila.. people think that's the regular ol' browse disc option but in reality they end up running nefarious software.
Autorun/Autoplay are not the issue given the above - the design of that dialog asking you what to do *is*.
The new method sucks monkeyballs. Thankfully there's third-party autorun utilities and I'll be installing one of those once I land on Windows Se7en.
In Vista you can go: Press Start button, type "word", hit enter. And you open MS Word using a CLI-like interface.
Who verifies the signature? Who verifies the verifiers? What stops a signature from being faked?
if you're going to be paranoid about these things, you might as well be all-the-way paranoid.
Yes, because after all, if we can't make it IMPOSSIBLE to crack, we might as well not make it rather harder?
BTW, most Linux package managers now check signatures on the packages they install. You know why? Because it's a damn good idea. It eliminates most attack vectors and it eliminates almost all of the easily-attackable attack vectors.
(MS is using signatures a bit differently than the Linux folks are, but many of the same principles and benefits apply.)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
Save that to a reg file. Disables autoplay system wide for all devices.
Please see http://technet.microsoft.com/en-us/library/dd349797.aspx
Vulnerability
An attacker with physical access to the computer could insert an Autorun-enabled DVD or CD into the computer that automatically runs a malicious program.
Countermeasure
Configure the NoDriveTypeAutoRun entry to a value of 255, disable Autorun for all drives.
This all happens as fast as I type. S is safari, F is firefox, m is mail, p-space-s is photoshop, t-space-m is textmate etc...
Who still uses the dock??
And serious kudos to Microsoft for turning off autorun- that blesses me.