Microsoft To Disable Autorun

← Back to Stories (view on slashdot.org)

Posted by timothy on Wednesday April 29, 2009 @09:28AM from the mounting-is-fine-but-opening-is-obnoxious dept.

jchrisos writes "Microsoft is planning to disable autorun in the next Release Candidate of Windows 7 and future updates to Windows XP and Vista. In order to maintain a 'balance between security and usability,' non-writable media will maintain its current behavior however. In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction. Will be interesting to see what malware creators do to get around this ..."

39 of 429 comments (clear)

Min score:

Reason:

Sort:

Erm.....What the hell? by Sj0 · 2009-04-29 09:29 · Score: 5, Insightful

Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.

--
It's been a long time.
1. Re:Erm.....What the hell? by Anonymous Coward · 2009-04-29 09:34 · Score: 3, Insightful
  
  Microsoft wanted a computer to be an appliance. The person operating it didn't have to know much. When it got older, you bought a new one Want your new camera to work? Plug it in and insert cd. Want an external hard drive you just plug in and it backs up your stuff? You got it. Want to watch tv on your computer? Plug it in the usb slot, plop the cd in the drive and you're good to go. Good idea. However, the real world doesn't play with good ideas very well.
2. Re:Erm.....What the hell? by Sj0 · 2009-04-29 09:36 · Score: 3, Insightful
  
  The risk is too obvious and too stupid to take.
  A menu pops up with this stuff anyway: "Hey, want to open this folder?", so it's not like you're doing anything more than adding exactly one step.
  
  --
  It's been a long time.
3. Re:Erm.....What the hell? by Midnight+Thunder · 2009-04-29 09:44 · Score: 4, Insightful
  
  Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.
  A compromise would have been to ask the user, but disabling is completely is probably better, since it will avoid stuff like the Sony Root kit, being installed by a clueless user. After all:
  Computer: "Do you want to do xyz? It may break you computer."
  User: clicky, clicky "Why yes of course"
  
  --
  Jumpstart the tartan drive.
4. Re:Erm.....What the hell? by Twillerror · 2009-04-29 09:48 · Score: 3, Insightful
  
  Not entirely true. When I plug in my camera and a little popup comes up I really like that. Why...because it's not exactly what program I'd like to launch. Most of the time I just want to get at the file system and copy and paste over the files.
  Then there is my wife who would be completely lost without the auto run that cameras present users with.
  When USB drives plugin sometimes they auto run management software which could include faster drivers or encryption utilities. I'd don't want the option for this lost.
  The problem to me is not that it auto runs, but that it doesn't require any sort of user involvement. I like auto run cds...except when I don't want it. I know I can hold down shift to get around it, but if I forget or my arms are to short to do both at the same time I'm boned.
  If there is a use case (even if you don't see the need) for this then we need to try to continue to support it. My guess is someone though of a GOOD user for it. I don't want my entire computer expierence to be dictated by virus writers and boring programers. It's like saying we can't fly on jets because someone could fly them into buildings...figure out how to stop people from flying into buildings...not stop flying.
5. Re:Erm.....What the hell? by Anonymous Coward · 2009-04-29 10:01 · Score: 1, Insightful
  
  While I agree with your point about boring programmers, your analogy would fall flat if 1/10 airplanes were smashed into a building within an hour of takeoff.
6. Re:Erm.....What the hell? by Feanturi · 2009-04-29 10:06 · Score: 5, Insightful
  
  That's only if there isn't an autorun.inf pointing to an executable. If there is, it runs that instead of showing the "What do you want to do?" dialog. Only having autorun disabled will protect you from that. What would be good is if it was disabled by default, but could be turned on for select "trusted" flash drives. Or, just a thought, maybe people could learn a bit about how to use a computer and not have to have it do all the driving. Nothing wrong with learning to open an Explorer window, then navigating to a drive to access something on it. What a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.
7. Re:Erm.....What the hell? by EvanED · 2009-04-29 10:13 · Score: 5, Insightful
  
  Or, just a thought, maybe people could learn a bit about how to use a computer and not have to have it do all the driving. Nothing wrong with learning to open an Explorer window, then navigating to a drive to access something on it. What a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.
  As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".
  I think Vista's "always autoplay, never autorun" (if I got those names right) scheme works really well.
8. Re:Erm.....What the hell? by thePowerOfGrayskull · 2009-04-29 10:22 · Score: 4, Insightful
  
  hat a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.
  Why should those people who are using computers as tools (in the same way they would use a car, lawnmower, or vibrator) have to know anything at all about how it works, where content is stored, etc?
  The best system is one that just does what you want it to do, without distracting you from your task by making you think about it. That holds equally true for computers, windshield wipers, and toilet paper.
9. Re:Erm.....What the hell? by Darkness404 · 2009-04-29 10:24 · Score: 4, Insightful
  
  And remember the Sony rootkit fiasco? That's no better or worse than something you might catch from popping a pirated CD or DVD (the ones you buy for $1 off the streets).
  
  Except for the fact the Antivirus you paid $80 for will catch the malware that came off the CDs and DVDs but believes that the Sony Rootkit is "legitimate" and leaves it alone.
  
  --
  Taxation is legalized theft, no more, no less.
10. Re:Erm.....What the hell? by Happler · 2009-04-29 10:30 · Score: 5, Insightful
  
  I have met people who do not think about toilet paper and they stink. I am a firm believer that people should have at least a basic understanding of what tools they are using. Knowing the basics of windshield wipers means that you can purchase and change them yourself (and pay less in the long run). Knowing the basics of computers means that you will, at least, help minimize the amount of damage you do to your computer via virus, malware, stupid user tricks, etc. I have worked too much tech support to encourage systems that do everything for the user. It just creates more problems then it is worth.
11. Re:Erm.....What the hell? by Nerdfest · 2009-04-29 10:34 · Score: 2, Insightful
  
  It's still an infection vector.
12. Re:Erm.....What the hell? by Cajun+Hell · 2009-04-29 10:34 · Score: 5, Insightful
  
  The best system is one that just does what you want it to do
  Autorun isn't intended to do what users want it to do. Close, but not quite. Autorun is intended to do what ..
  .. .. somebody .. ..
  .. wants it to do. That person is never the user, unless the user wrote the autorun script. That person may have the user's interests at heart.
  
  --
  "Believe me!" -- Donald Trump
13. Re:Erm.....What the hell? by Tanktalus · 2009-04-29 10:46 · Score: 4, Insightful
  
  No other device stores nearly so much of a user's information as a computer. Except maybe a filing cabinet, and you damned well better know where to find your information there, because there's no "grep" tool for that!
  All I'm saying is that analogising a computer against a lawn mower may break down for some things. And this might just be one of them.
  I don't expect a user to be able to write a program, or even a script, or even a batch file. But I do expect them to know where they store their stuff insofar as its similarities to a set of filing cabinets goes.
14. Re:Erm.....What the hell? by camperdave · 2009-04-29 11:08 · Score: 1, Insightful
  
  "yeah, because I like doing work myself that a computer is good at".
  
  This is exactly why a CLI is better than a GUI. With a CLI, you type the command, and the computer goes off and finds the actual executable. With a GUI, you have to do that manually: Click Start, select All Programs, select Microsoft Office, click on Microsoft Word (as an example). When did we humans get stuck with the job of finding the actual program we want to run?
  
  --
  When our name is on the back of your car, we're behind you all the way!
15. Re:Erm.....What the hell? by Hatta · 2009-04-29 11:24 · Score: 2, Insightful
  
  As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".
  Computers are good at deciding whether or not you can trust a piece of software? What algorithm would you use for that?
  
  --
  Give me Classic Slashdot or give me death!
16. Re:Erm.....What the hell? by DragonWriter · 2009-04-29 11:28 · Score: 2, Insightful
  
  Autorun isn't intended to do what users want it to do. Close, but not quite. Autorun is intended to do what .. .. .. somebody .. .. .. wants it to do. That person is never the user, unless the user wrote the autorun script.
  
  Or, unless the user deliberately enabled autorun and deliberately put the media in the drive/slot/etc. What the user wants can be "whatever the creator of the autorun script on this drive programmed", after all.
17. Re:Erm.....What the hell? by rnelsonee · 2009-04-29 12:00 · Score: 3, Insightful
  
  If we're talking about CD's, then the user is already assuming the script writer has their best interests at heart - why else would they be sticking the CD in the drive? All disabling autorun does is make it harder for users, because *no* user is ever going to stick a CD in the drive, and then say "Well, that was fun" and then take the CD back out and throw it away. They're putting it in to install software! And if they're putting a CD in that doesn't have a setup.exe, then there's not going to be an autorun.
  I use autorun for my customers. I have multiple install scripts depending on the type of computer and dependencies. I'd rather change an autorun.inf than explain which setup to run to my customers. I'm getting paid to automate tasks (my software is basically an automated testing suite). If Windows forces my users to run setups themselves, its making everyone's life more difficult.
  If you think autorun is a security threat, you can already disable it. At least make it a choice.
18. Re:Erm.....What the hell? by Thinboy00 · 2009-04-29 13:12 · Score: 3, Insightful
  
  I'm not very familiar with KDE history, but if I had to guess I'd say MS shamelessly ripped that off...
  
  --
  $ make available
19. Re:Erm.....What the hell? by Thinboy00 · 2009-04-29 13:13 · Score: 3, Insightful
  
  No, Sony got in HUGE trouble for that (not sure if it was legal trouble, but after the public outcry, they recalled EVERYTHING and IIRC a court may have ordered them to do more or something...?).
  
  --
  $ make available
20. Re:Erm.....What the hell? by FrankieBaby1986 · 2009-04-29 17:32 · Score: 2, Insightful
  
  Here, here, and this applies to cars very well, too. You absolutely must know how to maintain them. And that can be as little as recognizing your light is out, wipers are old (dried out), etc. Or at least get the freaking snow off your roof before you drive! (one of my peeves about dumb drivers in the winter: an icy, snowy roof is dangerous to drivers behind you).
  
  Ditto for knowing how to use a computer responsibly and not becoming a bothost and placing other people's computer's at risk.
  
  --
  ERROR: SIG NOT FOUND (A)bort, (R)etry, (F)ail?:
21. Re:Erm.....What the hell? by k.a.f. · 2009-04-29 19:10 · Score: 2, Insightful
  
  Why should those people who are using computers as tools (in the same way they would use a car, lawnmower, or vibrator) have to know anything at all about how it works, where content is stored, etc?
  Because misusing your computer connected to a worldwide network can do harm to uncounted others, while misusing your lawnmower/vibrator will only screw up your own lawn/body. Misusing your car, on the other hand... guess which of your three examples we regulate the hell out of?
22. Re:Erm.....What the hell? by MightyYar · 2009-04-30 00:30 · Score: 2, Insightful
  
  This is exactly why a CLI is better than a GUI.
  Actually, they are exactly the same. You can remember an exact name, or you can remember an exact location. Some brains do better with location and some with names... just a preference thing.
  Anyway, modern GUIs all have some sort of "find" function that makes it very easy to just type the application name. Mac has Spotlight... just type Command-Spacebar and then the application name and then Return. Most of the time you don't even have to enter the entire name. Vista has a very similar item in the Start menu.
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
Almost, but not quite by sqlrob · 2009-04-29 09:32 · Score: 3, Insightful

Since non-writable media such as CD-ROMs generally aren't avenues for malicious software propagation
Because no that's infected ever burns a CD, nope, never.
1. Re:Almost, but not quite by 77Punker · 2009-04-29 09:50 · Score: 2, Insightful
  
  What about someone who intentionally creates a malicious autorun and distributes a CD-R? How about a virus that adds its own autorun to every disc burned by its host system?
  It's still a huge problem and the fact that they removed it from other media demonstrates that they don't understand all of the attack vectors.
  One more thing: virus scanners are a joke.
Finally by Capt.DrumkenBum · 2009-04-29 09:34 · Score: 2, Insightful

It is about bloody time too.
It only took Microsoft 14 years to fix this massive security hole.

--
If I were God, wouldn't I protect my churches from acts of me?
Getting around this will be difficult? by gringofrijolero · 2009-04-29 09:39 · Score: 3, Insightful

I don't think so. Just tell the user to double click the setup.exe icon if it doesn't run automatically. Gotta turn off autorun in the user's brain.

--
Todos mis movimientos están friamente calculados
It's done right in Ubuntu by Benanov · 2009-04-29 09:45 · Score: 5, Insightful

Not sure exactly what's doing it, but in my Ubuntu and gNewSense installs:
If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.
Seemed to be pretty sensible really. I mean *I* inserted the CD, so I expect something to happen.
1. Re:It's done right in Ubuntu by Tetsujin · 2009-04-29 09:58 · Score: 2, Insightful
  
  Not sure exactly what's doing it, but in my Ubuntu and gNewSense installs:
  If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.
  Seemed to be pretty sensible really. I mean *I* inserted the CD, so I expect something to happen.
  This kind of thing always drove me crazy, and still does. Like sometimes I'll take a CD out of the drive to put another one in - and then when I'm done with the second one I'll put the first one back in 'cause I don't know where the case is. The fact that I put that first CD back in the drive doesn't mean I want to run it...
  
  --
  Bow-ties are cool.
2. Re:It's done right in Ubuntu by Anonymous Coward · 2009-04-29 10:29 · Score: 5, Insightful
  
  The fact that you're using a CD drive as a jewel case pretty much invalidates any opinion you may have on this matter.
Sony CD by cant_get_a_good_nick · 2009-04-29 09:49 · Score: 4, Insightful

Didn't Sony install rootkits as part of CD insertion/autoRun? CD-ROMs are a vector for malware.
Also, I remember some website getting sued because they mentioned how to disable autorun, effectively disabling their anti-copy rubbish. So will Microsoft be sued for removing this?
Uhhhh by Idiomatick · 2009-04-29 09:55 · Score: 1, Insightful

I don't see the problem so many people are having. In XP+ when you put in a CD/flash/w/e you get a windows menu popup saying do you want to open in the browser or play in your media player or w/e. This seems perfectly reasonable. No code is being executed off the disk so no security hole. If you want the CD to run a splash or w/e it is one click. If you want to browse it one click. And it can be set to remember your answer for different devices. I completely fail to see the problem with that.

If this does mean that they are breaking U3 drives I'm happy for the change mind you.
startup by robvangelder · 2009-04-29 10:42 · Score: 2, Insightful

another good idea is reduce the number of "run on startup" lists to one. theres a billion options for running your stuff on startup. should be just one place.
while im ranting, i hate that i've got two processes in task manager called rundll32.exe that i havent a clue what they do
1. Re:startup by Blakey+Rat · 2009-04-29 11:17 · Score: 2, Insightful
  
  another good idea is reduce the number of "run on startup" lists to one. theres a billion options for running your stuff on startup. should be just one place.
  To be fair, there should be two. One for services (which don't necessarily need a logged-in user), one for desktop applications (which do).
  But yah, I agree generally.
  
  --
  Comment of the year
Re:Enable it by blueg3 · 2009-04-29 13:41 · Score: 2, Insightful

In which case the malware is already running on the machine. Considering the point of adding your malware to autorun was to get it running on the machine, I'm not sure this is a significant security risk.
Nobody has a problem with the feature being there by symbolset · 2009-04-29 13:42 · Score: 2, Insightful

And they're not removing the feature. They're just making sure the default is "off". It's the sensible thing to do.
If you're secure enough about what's on the disks/pendrives/cameras/network shares you mount to use it then by all means turn it back on. But that ought not be the default because not everybody is at that level.
I'm not one to praise Microsoft usually, but this is a move in the right direction.

--
Help stamp out iliturcy.
Re:any USB plug-in device is insecure, period by blueg3 · 2009-04-29 14:00 · Score: 2, Insightful

In your scenario, you are plugging a physical device of your own design into the target machine, either personally or by distributing it to unsuspecting users.
The real attack scenario of interest is malware that propagates by adding itself (and autorun settings to launch itself) to USB storage devices provided by the unsuspecting user. You don't get to choose the physical device, only write to its filesystem.
wrong tree? by Tom · 2009-04-29 19:36 · Score: 3, Insightful

Wake me when they disable "autorun" for E-Mails.
Seriously, when's the last time you heard about 100,000 PCs getting infected by malware on a USB stick?
It's certainly a good step, but the problem it solves pales compared to pretty much everything else that windos has burdened itself with over the past decade or so.

--
Assorted stuff I do sometimes: Lemuria.org
Re:sandisk? by JustNiz · 2009-04-30 04:59 · Score: 2, Insightful

Yeah I will never buy another Sandisk USB drive because they do this crazy thing of also having a small ROM in there that appears as a second drive that has an autroun that installs Sandisk 32-bit windows drivers and bloatware every time you plug the disk in, even on a 64-bit os. Needless to say the drivers and bloatware are completely unnecessary to access the drive itself.
You can disable autorun but cannot do anything to stop the read-only drive appearing and being mounted. To make it even more annoying, the small read-only drive gets the first available (lower) drive letter than the real drive.
Whatever marketing moron at Sandisk though that this was a good idea should be castrated (Preferably with a rusty knife) in an attempt to ensure he can't pollute the human gene pool further.