Microsoft To Disable Autorun

jchrisos writes "Microsoft is planning to disable autorun in the next Release Candidate of Windows 7 and future updates to Windows XP and Vista. In order to maintain a 'balance between security and usability,' non-writable media will maintain its current behavior however. In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction. Will be interesting to see what malware creators do to get around this ..."

Erm.....What the hell?

[Sj0]

Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.

Re:Erm.....What the hell?

[Moryath]

Has to do with crap like this - the theory goes that you may WANT to have an autorun from them for legit reasons (movie on a "read only" flash disk, or a "plug this hard drive in and automatically launch Program X" setup).

Hell, without this, those "U3 Enabled" flash drives (yeah I know, gag puke awful crap software) are even harder to use too. They use a single partition with the U3 software, autoboot it, check for you entering your "password", and only they will it decrypt the OTHER partition on the drive for you.

See where this is going?

Re:Erm.....What the hell?

Microsoft wanted a computer to be an appliance. The person operating it didn't have to know much. When it got older, you bought a new one Want your new camera to work? Plug it in and insert cd. Want an external hard drive you just plug in and it backs up your stuff? You got it. Want to watch tv on your computer? Plug it in the usb slot, plop the cd in the drive and you're good to go. Good idea. However, the real world doesn't play with good ideas very well.

Re:Erm.....What the hell?

[Sj0]

The risk is too obvious and too stupid to take.

A menu pops up with this stuff anyway: "Hey, want to open this folder?", so it's not like you're doing anything more than adding exactly one step.

Re:Erm.....What the hell?

[Midnight+Thunder]

Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.

A compromise would have been to ask the user, but disabling is completely is probably better, since it will avoid stuff like the Sony Root kit, being installed by a clueless user. After all:

Computer: "Do you want to do xyz? It may break you computer."
User: clicky, clicky "Why yes of course"

Re:Erm.....What the hell?

suddenoutbreakofswineflu
WTF?

Re:Erm.....What the hell?

[Sj0]

CD is read-only, thus not applicable.

Re:Erm.....What the hell?

[Red+Flayer]

Why wasn't this the default to begin with?

In the beginning, there was a User.

This User did not possess the special knowledge of the Priests of the Cult of Computers.

This User was granted divine Manna from heaven in the form of a shining disc with an outer shell of a transparent horn-like material.

"Lo!" said he, "I have found the Sacred Tablet of AOL!"

And he put the Tablet in the Slot of Curious Whirrings, and nothing happened. And this was Good.

But the User was unhappy, and complained to the Disciples of AOL, that the sacred disc of AOL was defective.

And so the Disciples of AOL conferred with the Disciples of Borg.

Now, the Disciples discipled for a while, and determined that the User could never be trusted grok the mysteries of "Drive D". The Disciples agreed, also it was bothersome and unholy, to be summoned each time a Tablet was delivered by divine provenance to another User. And so Autorun was created.

Verily, the User could place the Sacred Tablet of AOL in the Slot of Curious Whirrings, and without any further discipling by the Disciples, could run AOL.

And thus were the Demons of AOL unleashed upon the world together with the Lord of PC Plague and Pestilence, he-who-should-not-be-named-but-nevertheless-I-will, Autorun.

Re:Erm.....What the hell?

[Twillerror]

Not entirely true. When I plug in my camera and a little popup comes up I really like that. Why...because it's not exactly what program I'd like to launch. Most of the time I just want to get at the file system and copy and paste over the files.

Then there is my wife who would be completely lost without the auto run that cameras present users with.

When USB drives plugin sometimes they auto run management software which could include faster drivers or encryption utilities. I'd don't want the option for this lost.

The problem to me is not that it auto runs, but that it doesn't require any sort of user involvement. I like auto run cds...except when I don't want it. I know I can hold down shift to get around it, but if I forget or my arms are to short to do both at the same time I'm boned.

If there is a use case (even if you don't see the need) for this then we need to try to continue to support it. My guess is someone though of a GOOD user for it. I don't want my entire computer expierence to be dictated by virus writers and boring programers. It's like saying we can't fly on jets because someone could fly them into buildings...figure out how to stop people from flying into buildings...not stop flying.

Re:Erm.....What the hell?

[Feanturi]

That's only if there isn't an autorun.inf pointing to an executable. If there is, it runs that instead of showing the "What do you want to do?" dialog. Only having autorun disabled will protect you from that. What would be good is if it was disabled by default, but could be turned on for select "trusted" flash drives. Or, just a thought, maybe people could learn a bit about how to use a computer and not have to have it do all the driving. Nothing wrong with learning to open an Explorer window, then navigating to a drive to access something on it. What a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.

Re:Erm.....What the hell?

[EvanED]

Or, just a thought, maybe people could learn a bit about how to use a computer and not have to have it do all the driving. Nothing wrong with learning to open an Explorer window, then navigating to a drive to access something on it. What a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.

As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

I think Vista's "always autoplay, never autorun" (if I got those names right) scheme works really well.

Re:Erm.....What the hell?

[RzUpAnmsCwrds]

A compromise would have been to ask the user

This is exactly what Vista does. The problem is that you can customize the icon for the "run" operation, and malware authors got clever and used the folder icon. If you weren't paying attention, you might click the wrong option and install the malware (although there's also a UAC prompt to get through on Vista).

Re:Erm.....What the hell?

[thePowerOfGrayskull]

hat a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.

Why should those people who are using computers as tools (in the same way they would use a car, lawnmower, or vibrator) have to know anything at all about how it works, where content is stored, etc?

The best system is one that just does what you want it to do, without distracting you from your task by making you think about it. That holds equally true for computers, windshield wipers, and toilet paper.

Re:Erm.....What the hell?

[Darkness404]

And remember the Sony rootkit fiasco? That's no better or worse than something you might catch from popping a pirated CD or DVD (the ones you buy for $1 off the streets).

Except for the fact the Antivirus you paid $80 for will catch the malware that came off the CDs and DVDs but believes that the Sony Rootkit is "legitimate" and leaves it alone.

Re:Erm.....What the hell?

[supernova_hq]

Those U3 enabled flash drives will STILL autorun. The second partition is made to appear to be a cdrom to windows, which means that windows will still autorun the crap they put on there.

Not only that, but this will give sandisk a semi-legit reason to partitions those bloody things. To this day, the ONLY way to get rid of that damn partition is using a windows utility, and that doesn't even work half the time!

Re:Erm.....What the hell?

[Bert64]

Modern systems come with cd/dvd recorders by default...
A piece of malware could hijack your burning apps and add itself to any optical media you burn.

Re:Erm.....What the hell?

[mooingyak]

You're a disciple of AOL.

Re:Erm.....What the hell?

[Happler]

I have met people who do not think about toilet paper and they stink. I am a firm believer that people should have at least a basic understanding of what tools they are using. Knowing the basics of windshield wipers means that you can purchase and change them yourself (and pay less in the long run). Knowing the basics of computers means that you will, at least, help minimize the amount of damage you do to your computer via virus, malware, stupid user tricks, etc. I have worked too much tech support to encourage systems that do everything for the user. It just creates more problems then it is worth.

Re:Erm.....What the hell?

[Nerdfest]

It's still an infection vector.

Re:Erm.....What the hell?

[Cajun+Hell]

The best system is one that just does what you want it to do

Autorun isn't intended to do what users want it to do. Close, but not quite. Autorun is intended to do what ..
.. .. somebody .. ..
.. wants it to do. That person is never the user, unless the user wrote the autorun script. That person may have the user's interests at heart.

Re:Erm.....What the hell?

[Tanktalus]

No other device stores nearly so much of a user's information as a computer. Except maybe a filing cabinet, and you damned well better know where to find your information there, because there's no "grep" tool for that!

All I'm saying is that analogising a computer against a lawn mower may break down for some things. And this might just be one of them.

I don't expect a user to be able to write a program, or even a script, or even a batch file. But I do expect them to know where they store their stuff insofar as its similarities to a set of filing cabinets goes.

Re:Erm.....What the hell?

[maxume]

But is autoplay/autorun an automatic turn signal or is it a starter motor?

Re:Erm.....What the hell?

[adisakp]

As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

I think Vista's "always autoplay, never autorun" (if I got those names right) scheme works really well.

Autorun does work really well... at installing rootkits on your machine from Sony/BMG CD's.

Re:Erm.....What the hell?

[Toonol]

As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

Computers are HORRIBLE at deciding what is safe to run at what isn't. That's the central security problem, and it probably won't be solved until we have strong AI.

Re:Erm.....What the hell?

[Hatta]

As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

Computers are good at deciding whether or not you can trust a piece of software? What algorithm would you use for that?

Re:Erm.....What the hell?

[nicolas.kassis]

Humans are HORRIBLE at deciding what is safe to run at what isn't. That's the central security problem, and it probably won't be solved until we have intelligence.

there fixed that for you

Re:Erm.....What the hell?

[Animaether]

except that he gave the example of Windows Vista as actually getting things fairly right.

DVD video, CD audio -> autoplay OK
USB/PhotoCD, CD/DVD with just images -> autoplay OK
USB/CD/DVD with autorun specifying an executable -> DO NOT AUTORUN.

Within 'do not autorun' you even get choices...
A. Ask me what the flippant to do
B. Do nothing whatsoever.

Option A is perfectly sane. The only problem is in the presentation. People exploit the fact that one of the usual options is the 'browse disc' thing. They use the same icon, give it the same name, it appears at the top and voila.. people think that's the regular ol' browse disc option but in reality they end up running nefarious software.

Autorun/Autoplay are not the issue given the above - the design of that dialog asking you what to do *is*.

The new method sucks monkeyballs. Thankfully there's third-party autorun utilities and I'll be installing one of those once I land on Windows Se7en.

Re:Erm.....What the hell?

[DragonWriter]

Autorun isn't intended to do what users want it to do. Close, but not quite. Autorun is intended to do what .. .. .. somebody .. .. .. wants it to do. That person is never the user, unless the user wrote the autorun script.

Or, unless the user deliberately enabled autorun and deliberately put the media in the drive/slot/etc. What the user wants can be "whatever the creator of the autorun script on this drive programmed", after all.

Re:Erm.....What the hell?

[Fumus]

In Vista you can go: Press Start button, type "word", hit enter. And you open MS Word using a CLI-like interface.

Re:Erm.....What the hell?

[rnelsonee]

If we're talking about CD's, then the user is already assuming the script writer has their best interests at heart - why else would they be sticking the CD in the drive? All disabling autorun does is make it harder for users, because *no* user is ever going to stick a CD in the drive, and then say "Well, that was fun" and then take the CD back out and throw it away. They're putting it in to install software! And if they're putting a CD in that doesn't have a setup.exe, then there's not going to be an autorun.

I use autorun for my customers. I have multiple install scripts depending on the type of computer and dependencies. I'd rather change an autorun.inf than explain which setup to run to my customers. I'm getting paid to automate tasks (my software is basically an automated testing suite). If Windows forces my users to run setups themselves, its making everyone's life more difficult.

If you think autorun is a security threat, you can already disable it. At least make it a choice.

Re:Erm.....What the hell?

[shutdown+-p+now]

Autorun does work really well... at installing rootkits on your machine from Sony/BMG CD's.

This made me wonder if Sony will now sue Microsoft for producing software that circumvents their copy protection.

Re:Erm.....What the hell?

[HTH+NE1]

I have met people who do not think about toilet paper and they stink.

Who needs toilet paper when you have three seashells?

Re:Erm.....What the hell?

[EvanED]

OTOH, if Windows just launches it for you, or prompts you to do it, you're just hosed....

Agreed on the first, but disagreed on the second.

Here's my reasoning. Why are you inserting an unknown flash drive anyway? Probably to figure out what's on it. So if Windows didn't prompt, you're probably going to look around the drive anyway, and probably come across the program that the autoplay window in Vista would prompt you to run. If you say "run this program" in the autoplay window, why wouldn't you say "run this program" when you come across it on the disk?

In fact, I'd say that the situation is exactly the reverse. If I saw some untrusted media try to autorun something, I'd be more suspicious of it than if I just stumbled across the program on the drive when looking through. Furthermore, it's a little more resistant to obfuscation by hiding the .exe extension and stuff, since if it asks you to autorun something, you know it's a program.

(This is written from the point of view of a user who isn't clueless. For someone who is careless or ignorant or whatever, I'll acknowledge that prompting is probably more prone to result in the program getting run. That'd be reason to maybe change the default, but if MS did do that, I'd set it back to Vista's current default.)

Re:Erm.....What the hell?

[EvanED]

Who verifies the signature? Who verifies the verifiers? What stops a signature from being faked?

if you're going to be paranoid about these things, you might as well be all-the-way paranoid.

Yes, because after all, if we can't make it IMPOSSIBLE to crack, we might as well not make it rather harder?

BTW, most Linux package managers now check signatures on the packages they install. You know why? Because it's a damn good idea. It eliminates most attack vectors and it eliminates almost all of the easily-attackable attack vectors.

(MS is using signatures a bit differently than the Linux folks are, but many of the same principles and benefits apply.)

Re:Erm.....What the hell?

[Thinboy00]

I'm not very familiar with KDE history, but if I had to guess I'd say MS shamelessly ripped that off...

Re:Erm.....What the hell?

[Thinboy00]

No, Sony got in HUGE trouble for that (not sure if it was legal trouble, but after the public outcry, they recalled EVERYTHING and IIRC a court may have ordered them to do more or something...?).

Re:Erm.....What the hell?

[nabsltd]

If Windows would actually join the 1980s and have decent support for virtual desktops that would alleviate a lot of that, but even in KDE or Gnome it's often the case that I have stuff open on all of the desktops and would still have to move things. (On the tiling WM I'm using now, awesome, I've got 32 virtual desktops on each monitor, about 1/3 of which are usually used, so there getting to an open desktop would be pretty easy.)

The Windows NT 3.1 Resource Kit included a program called TopDesk which still works fine with everything up through XP. It does the same sort of multiple desktop system that your link shows.

I run with and 11x3 layout, so that's 33 total desktops. Windows can be set to follow you to the current desktop, or stay where they were as you switch. You can also have "ghosts", which allow you to force a particular program to always start up on a particular desktop.

Re:Erm.....What the hell?

[rtb61]

As an interesting side point on that issue, M$ knew all about Sony's root kit prior to it being released in fact they were involved in evaluating it and it was a M$ advertising blogger who announced it to the world not long after it was released and of course just prior to the release of the playstation 3, ahh, the wonderful world of modern marketing techniques.

Re:Erm.....What the hell?

[im_thatoneguy]

CLIs are great IF you know the command to launch it.

What if you type in Word. Do you get MS Word or WordPad or Word Search?

What if you don't know the program's name ("Writer" comes to mind) but you know it's a part of Open Office? What if you don't know anything about the program but would recognize it if you saw it?

The list of things on a computer which a person should know the correct command to launch are very few. Vista's: Windows Key -> "Search Phrase" -> Enter. System seems to be the best. You can search or if you can't find it then look through your program list. It's the best of both worlds.

Now the worst place for a CLI is anywhere the user doesn't know 'what they can do'. If you launch a CL program you're presented with no possibilities. You have no idea what the program can do. It's like driving up to a drive through without a menu. You can start quizing the person on the other end of the little box what they offer but a nice photo menu is the fastest way to absorb data.

Re:Erm.....What the hell?

[EvanED]

As an interesting side point on that issue, M$ knew all about Sony's root kit prior to it being released in fact they were involved in evaluating it

[citation needed]

Wikipedia has no mention of such a thing in a reasonably complete article on the rootkit controversy. ...it was a M$ advertising blogger who announced it to the world not long after it was released

1) Mark Russinovich (the guy who broke the news) discovered it on his own (he described how in his blog)
2) Russinovich wasn't an MS employee at the time he broke the news, and didn't start working there for a few months afterward
3) Calling him an "M$ advertising blogger" is, to a fair extent being a dishonest troll

Re:Erm.....What the hell?

[ipX]

This made me wonder if Sony will now sue Microsoft for producing software that circumvents their copy protection.

No, Sony got in HUGE trouble for that (not sure if it was legal trouble, but after the public outcry, they recalled EVERYTHING and IIRC a court may have ordered them to do more or something...?).

**whoosh**

Re:Erm.....What the hell?

[FrankieBaby1986]

Here, here, and this applies to cars very well, too. You absolutely must know how to maintain them. And that can be as little as recognizing your light is out, wipers are old (dried out), etc. Or at least get the freaking snow off your roof before you drive! (one of my peeves about dumb drivers in the winter: an icy, snowy roof is dangerous to drivers behind you).

Ditto for knowing how to use a computer responsibly and not becoming a bothost and placing other people's computer's at risk.

Re:Erm.....What the hell?

[k.a.f.]

Why should those people who are using computers as tools (in the same way they would use a car, lawnmower, or vibrator) have to know anything at all about how it works, where content is stored, etc?

Because misusing your computer connected to a worldwide network can do harm to uncounted others, while misusing your lawnmower/vibrator will only screw up your own lawn/body. Misusing your car, on the other hand... guess which of your three examples we regulate the hell out of?

Re:Erm.....What the hell?

[MightyYar]

This is exactly why a CLI is better than a GUI.

Actually, they are exactly the same. You can remember an exact name, or you can remember an exact location. Some brains do better with location and some with names... just a preference thing.

Anyway, modern GUIs all have some sort of "find" function that makes it very easy to just type the application name. Mac has Spotlight... just type Command-Spacebar and then the application name and then Return. Most of the time you don't even have to enter the entire name. Vista has a very similar item in the Start menu.

Almost, but not quite

[sqlrob]

Since non-writable media such as CD-ROMs generally aren't avenues for malicious software propagation

Because no that's infected ever burns a CD, nope, never.

Re:Almost, but not quite

[77Punker]

What about someone who intentionally creates a malicious autorun and distributes a CD-R? How about a virus that adds its own autorun to every disc burned by its host system?

It's still a huge problem and the fact that they removed it from other media demonstrates that they don't understand all of the attack vectors.

One more thing: virus scanners are a joke.

Re:Almost, but not quite

[petermgreen]

But flash sticks are a good vector for spreading malware and an annoying proportion of the flash sticks I see are sandisk U3 devices. How long will it be until malware manages to insert itself into the "CD emulation" section of a U3 device?

get around this?

[BigBuckHunter]

@ Will be interesting to see what malware creators do to get around this ..."

Attrib -w? Flip the Writeprotect dword in StorageDevicePolicies?

BBH

Re:get around this?

[Swizec]

You seem to be implying that there is such a thing as a windows machine without malware ...

Re:Heads Up Tech Support

[Sj0]

CD is read-only, thus not applicable. RTFS.

Re:Heads Up Tech Support

[TheSovereign]

non writable media will maintain current behavior. pray attention.

Finally

[Capt.DrumkenBum]

It is about bloody time too.
It only took Microsoft 14 years to fix this massive security hole.

Getting around this will be difficult?

[gringofrijolero]

I don't think so. Just tell the user to double click the setup.exe icon if it doesn't run automatically. Gotta turn off autorun in the user's brain.

It's done right in Ubuntu

[Benanov]

Not sure exactly what's doing it, but in my Ubuntu and gNewSense installs:

If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.

Seemed to be pretty sensible really. I mean *I* inserted the CD, so I expect something to happen.

Re:It's done right in Ubuntu

[EvanED]

If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.

That's what Vista does too... I actually really like that behavior. It's almost as convenient as autoplay is, but without the security risk. (Well, for good users.)

Re:It's done right in Ubuntu

[Tetsujin]

Not sure exactly what's doing it, but in my Ubuntu and gNewSense installs:

If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.

Seemed to be pretty sensible really. I mean *I* inserted the CD, so I expect something to happen.

This kind of thing always drove me crazy, and still does. Like sometimes I'll take a CD out of the drive to put another one in - and then when I'm done with the second one I'll put the first one back in 'cause I don't know where the case is. The fact that I put that first CD back in the drive doesn't mean I want to run it...

Re:It's done right in Ubuntu

The fact that you're using a CD drive as a jewel case pretty much invalidates any opinion you may have on this matter.

In other news...

[MachineShedFred]

Sony Music has announced a lawsuit against Microsoft using the DMCA, claiming that the new software patch circumvents horribly inadequate copyright protection.

FTFA:

[V!NCENT]

In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction.

Whoa...! Wait... they had autorun there too?!?! Dear god...

Re:FTFA:

[Hi_2k]

Yes, mapping a windows network share would indeed cause autorun.inf to be read.

Sony CD

[cant_get_a_good_nick]

Didn't Sony install rootkits as part of CD insertion/autoRun? CD-ROMs are a vector for malware.

Also, I remember some website getting sued because they mentioned how to disable autorun, effectively disabling their anti-copy rubbish. So will Microsoft be sued for removing this?

any USB plug-in device is insecure, period

[evangellydonut]

take any USB controller, have it emulate a Human Interface Device (aka keyboard), use it for the keystrokes of "windows, up, up, up, enter, virus-website, enter" and it's game over. you can do the same on Mac, just a tad more difficult.

Re:any USB plug-in device is insecure, period

[blueg3]

In your scenario, you are plugging a physical device of your own design into the target machine, either personally or by distributing it to unsuspecting users.

The real attack scenario of interest is malware that propagates by adding itself (and autorun settings to launch itself) to USB storage devices provided by the unsuspecting user. You don't get to choose the physical device, only write to its filesystem.

Play button

[fishizzle]

CD-ROMs could have kept the common "Play button" interface from the beginning. Everyone knew this procedure. You insert a VHS into a VCR, you press play. You insert a cassette tape into a Walkman, you press play. CD into a CD player, press play. When the CD-ROM came out, wouldn't it logically follow to insert the CD-ROM, then press the "Play button" to execute any "autorun" functionality? That way it's a user-initiated event, but one that your entire target audience is already going to be familiar with. And the users who weren't intended on "playing" the CD-ROM don't press they play button and can go about, uninterrupted, copying it or navigating the file system as they intended. It's not a huge deal, but I just find it odd that Microsoft's implementation of "Autorun" was the solution to this "problem" back in the day.

Re:Play button

[noidentity]

CD-ROMs could have kept the common "Play button" interface from the beginning. Everyone knew this procedure. You insert a VHS into a VCR, you press play.

Actually, VHS players automatically start playing read-only cassettes (and once they reach the end, rewind and then eject them). Pre-recorded tapes have the write-enable tab broken off.

Re:Work around in 3..2...1....

[PitaBred]

Pay $0.03 more per disc and most of that stops. I've found that there are quite a few discs out there that are too cheap, they just don't work.

Re:Heads Up Tech Support

[adolf]

Activate? The...software?

Eh?

On my U3 drives (both of them), the following would happen upon insertion:

Loading drivers
Found USB hub!
Loading drivers
Found USB mass storage device!
Loading drivers
Found USB CD-ROM!

The drives that appear are as follows:

A regular read/write USB flash drive, empty except for whatever I've put into it
A read-only CD-ROM

After the drivers all load (automatically and without intervention, under most Windowses), it would autorun the virtual CD drive as configured in windows.

Of course, I now have U3 disabled (more because I find no need for it, than because it is somehow evil), but that's how it worked for me.

startup

[robvangelder]

another good idea is reduce the number of "run on startup" lists to one. theres a billion options for running your stuff on startup. should be just one place.

while im ranting, i hate that i've got two processes in task manager called rundll32.exe that i havent a clue what they do

Re:startup

[Blakey+Rat]

another good idea is reduce the number of "run on startup" lists to one. theres a billion options for running your stuff on startup. should be just one place.

To be fair, there should be two. One for services (which don't necessarily need a logged-in user), one for desktop applications (which do).

But yah, I agree generally.

Re:Hide extensions for known file types

[sexconker]

With a name like readme, NO ONE will open up that shit!

missing tag:

[Ralph+Spoilsport]

tookthemlongenough

Re:Hunt and peck

[mysidia]

Don't use hunt and peck typing, use proper typing. Starting a program using a KB is a lot faster than using a mouse.

Disable autorun registry key

[foodnugget]

Here's a link to disable autorun on 2k and XP for real. You won't get a prompt for what to do, the system won't try to do anything with a USB key or CD rom or removable drive. I recommend it to anyone who has to put other peoples' USB drives in their systems. http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-Autorun-attacks

Do it yourself (all the way)

[MrLint]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff

Save that to a reg file. Disables autoplay system wide for all devices.

Please see http://technet.microsoft.com/en-us/library/dd349797.aspx

Vulnerability

An attacker with physical access to the computer could insert an Autorun-enabled DVD or CD into the computer that automatically runs a malicious program.
Countermeasure

Configure the NoDriveTypeAutoRun entry to a value of 255, disable Autorun for all drives.

Re:Enable it

[blueg3]

In which case the malware is already running on the machine. Considering the point of adding your malware to autorun was to get it running on the machine, I'm not sure this is a significant security risk.

Nobody has a problem with the feature being there

[symbolset]

And they're not removing the feature. They're just making sure the default is "off". It's the sensible thing to do.

If you're secure enough about what's on the disks/pendrives/cameras/network shares you mount to use it then by all means turn it back on. But that ought not be the default because not everybody is at that level.

I'm not one to praise Microsoft usually, but this is a move in the right direction.

Re:Hunt and peck

[collinstocks]

I have to agree. I use gnome-do all the time to run my applications because I can't be bothered searching through the menus if I already know what the program does. I even use it for my IM client: if I want to chat to someone, I enter their name and hit enter as soon as there are enough letters to match their name.

I have used this to my advantage

[MobyDisk]

I was arguing with a coworker why autorun is so dangerous. He said he never had a problem with it. So while he was away from his desk, I modified his USB key with an autorun that changes his desktop background to Unicorns and Rainbows. :-)

Re:Hunt and peck

[ProfessionalCookie]

To open an app on MacOS X 10.5:

• command-space (open spot light)
• type "s" (in this case for safari)
• Press enter

This all happens as fast as I type. S is safari, F is firefox, m is mail, p-space-s is photoshop, t-space-m is textmate etc...

Who still uses the dock??

And serious kudos to Microsoft for turning off autorun- that blesses me.

wrong tree?

[Tom]

Wake me when they disable "autorun" for E-Mails.

Seriously, when's the last time you heard about 100,000 PCs getting infected by malware on a USB stick?

It's certainly a good step, but the problem it solves pales compared to pretty much everything else that windos has burdened itself with over the past decade or so.

Diskettes

[GbrDead]

What about floppy disks? Will the write-protection tab enable autorun?

Re:sandisk?

[JustNiz]

Yeah I will never buy another Sandisk USB drive because they do this crazy thing of also having a small ROM in there that appears as a second drive that has an autroun that installs Sandisk 32-bit windows drivers and bloatware every time you plug the disk in, even on a 64-bit os. Needless to say the drivers and bloatware are completely unnecessary to access the drive itself.

You can disable autorun but cannot do anything to stop the read-only drive appearing and being mounted. To make it even more annoying, the small read-only drive gets the first available (lower) drive letter than the real drive.

Whatever marketing moron at Sandisk though that this was a good idea should be castrated (Preferably with a rusty knife) in an attempt to ensure he can't pollute the human gene pool further.