Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft To Disable Autorun

Posted by timothy on from the mounting-is-fine-but-opening-is-obnoxious dept.

jchrisos writes "Microsoft is planning to disable autorun in the next Release Candidate of Windows 7 and future updates to Windows XP and Vista. In order to maintain a 'balance between security and usability,' non-writable media will maintain its current behavior however. In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction. Will be interesting to see what malware creators do to get around this ..."

34 of 429 comments (clear)

  1. Erm.....What the hell? by Sj0 · · Score: 5, Insightful

    Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.

    --
    It's been a long time.
    1. Re:Erm.....What the hell? by Moryath · · Score: 4, Interesting

      Has to do with crap like this - the theory goes that you may WANT to have an autorun from them for legit reasons (movie on a "read only" flash disk, or a "plug this hard drive in and automatically launch Program X" setup).

      Hell, without this, those "U3 Enabled" flash drives (yeah I know, gag puke awful crap software) are even harder to use too. They use a single partition with the U3 software, autoboot it, check for you entering your "password", and only they will it decrypt the OTHER partition on the drive for you.

      See where this is going?

    2. Re:Erm.....What the hell? by Midnight+Thunder · · Score: 4, Insightful

      Why wasn't this the default to begin with? There's no good reason to automatically run anything on media like hard disks or flash drives. It's an obvious virus vector.

      A compromise would have been to ask the user, but disabling is completely is probably better, since it will avoid stuff like the Sony Root kit, being installed by a clueless user. After all:

      Computer: "Do you want to do xyz? It may break you computer."
      User: clicky, clicky "Why yes of course"

      --
      Jumpstart the tartan drive.
    3. Re:Erm.....What the hell? by Anonymous Coward · · Score: 5, Funny

      suddenoutbreakofswineflu
      WTF?

    4. Re:Erm.....What the hell? by Sj0 · · Score: 4, Informative

      CD is read-only, thus not applicable.

      --
      It's been a long time.
    5. Re:Erm.....What the hell? by Red+Flayer · · Score: 5, Funny

      Why wasn't this the default to begin with?

      In the beginning, there was a User.

      This User did not possess the special knowledge of the Priests of the Cult of Computers.

      This User was granted divine Manna from heaven in the form of a shining disc with an outer shell of a transparent horn-like material.

      "Lo!" said he, "I have found the Sacred Tablet of AOL!"

      And he put the Tablet in the Slot of Curious Whirrings, and nothing happened. And this was Good.

      But the User was unhappy, and complained to the Disciples of AOL, that the sacred disc of AOL was defective.

      And so the Disciples of AOL conferred with the Disciples of Borg.

      Now, the Disciples discipled for a while, and determined that the User could never be trusted grok the mysteries of "Drive D". The Disciples agreed, also it was bothersome and unholy, to be summoned each time a Tablet was delivered by divine provenance to another User. And so Autorun was created.

      Verily, the User could place the Sacred Tablet of AOL in the Slot of Curious Whirrings, and without any further discipling by the Disciples, could run AOL.

      And thus were the Demons of AOL unleashed upon the world together with the Lord of PC Plague and Pestilence, he-who-should-not-be-named-but-nevertheless-I-will, Autorun.

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    6. Re:Erm.....What the hell? by Feanturi · · Score: 5, Insightful

      That's only if there isn't an autorun.inf pointing to an executable. If there is, it runs that instead of showing the "What do you want to do?" dialog. Only having autorun disabled will protect you from that. What would be good is if it was disabled by default, but could be turned on for select "trusted" flash drives. Or, just a thought, maybe people could learn a bit about how to use a computer and not have to have it do all the driving. Nothing wrong with learning to open an Explorer window, then navigating to a drive to access something on it. What a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.

    7. Re:Erm.....What the hell? by EvanED · · Score: 5, Insightful

      Or, just a thought, maybe people could learn a bit about how to use a computer and not have to have it do all the driving. Nothing wrong with learning to open an Explorer window, then navigating to a drive to access something on it. What a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.

      As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

      I think Vista's "always autoplay, never autorun" (if I got those names right) scheme works really well.

    8. Re:Erm.....What the hell? by RzUpAnmsCwrds · · Score: 4, Informative

      A compromise would have been to ask the user

      This is exactly what Vista does. The problem is that you can customize the icon for the "run" operation, and malware authors got clever and used the folder icon. If you weren't paying attention, you might click the wrong option and install the malware (although there's also a UAC prompt to get through on Vista).

    9. Re:Erm.....What the hell? by thePowerOfGrayskull · · Score: 4, Insightful

      hat a concept, actually knowing what's on your media. All this "ease of use" and accessibility crap is just making users dumber and dumber.

      Why should those people who are using computers as tools (in the same way they would use a car, lawnmower, or vibrator) have to know anything at all about how it works, where content is stored, etc?

      The best system is one that just does what you want it to do, without distracting you from your task by making you think about it. That holds equally true for computers, windshield wipers, and toilet paper.

    10. Re:Erm.....What the hell? by Darkness404 · · Score: 4, Insightful

      And remember the Sony rootkit fiasco? That's no better or worse than something you might catch from popping a pirated CD or DVD (the ones you buy for $1 off the streets).

      Except for the fact the Antivirus you paid $80 for will catch the malware that came off the CDs and DVDs but believes that the Sony Rootkit is "legitimate" and leaves it alone.

      --
      Taxation is legalized theft, no more, no less.
    11. Re:Erm.....What the hell? by supernova_hq · · Score: 4, Informative

      Those U3 enabled flash drives will STILL autorun. The second partition is made to appear to be a cdrom to windows, which means that windows will still autorun the crap they put on there.

      Not only that, but this will give sandisk a semi-legit reason to partitions those bloody things. To this day, the ONLY way to get rid of that damn partition is using a windows utility, and that doesn't even work half the time!

    12. Re:Erm.....What the hell? by mooingyak · · Score: 5, Funny

      You're a disciple of AOL.

      --
      William of Ockham had no beard. The most likely explanation is that it was chewed off by squirrels every morning.
    13. Re:Erm.....What the hell? by Happler · · Score: 5, Insightful

      I have met people who do not think about toilet paper and they stink. I am a firm believer that people should have at least a basic understanding of what tools they are using. Knowing the basics of windshield wipers means that you can purchase and change them yourself (and pay less in the long run). Knowing the basics of computers means that you will, at least, help minimize the amount of damage you do to your computer via virus, malware, stupid user tricks, etc. I have worked too much tech support to encourage systems that do everything for the user. It just creates more problems then it is worth.

    14. Re:Erm.....What the hell? by Cajun+Hell · · Score: 5, Insightful

      The best system is one that just does what you want it to do

      Autorun isn't intended to do what users want it to do. Close, but not quite. Autorun is intended to do what ..
      .. .. somebody .. ..
      .. wants it to do. That person is never the user, unless the user wrote the autorun script. That person may have the user's interests at heart.

      --
      "Believe me!" -- Donald Trump
    15. Re:Erm.....What the hell? by Tanktalus · · Score: 4, Insightful

      No other device stores nearly so much of a user's information as a computer. Except maybe a filing cabinet, and you damned well better know where to find your information there, because there's no "grep" tool for that!

      All I'm saying is that analogising a computer against a lawn mower may break down for some things. And this might just be one of them.

      I don't expect a user to be able to write a program, or even a script, or even a batch file. But I do expect them to know where they store their stuff insofar as its similarities to a set of filing cabinets goes.

    16. Re:Erm.....What the hell? by adisakp · · Score: 5, Informative

      As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

      I think Vista's "always autoplay, never autorun" (if I got those names right) scheme works really well.

      Autorun does work really well... at installing rootkits on your machine from Sony/BMG CD's.

    17. Re:Erm.....What the hell? by Toonol · · Score: 5, Interesting

      As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

      Computers are HORRIBLE at deciding what is safe to run at what isn't. That's the central security problem, and it probably won't be solved until we have strong AI.

    18. Re:Erm.....What the hell? by nicolas.kassis · · Score: 5, Funny

      Humans are HORRIBLE at deciding what is safe to run at what isn't. That's the central security problem, and it probably won't be solved until we have intelligence.

      there fixed that for you

    19. Re:Erm.....What the hell? by Fumus · · Score: 4, Informative

      In Vista you can go: Press Start button, type "word", hit enter. And you open MS Word using a CLI-like interface.

    20. Re:Erm.....What the hell? by shutdown+-p+now · · Score: 5, Funny

      Autorun does work really well... at installing rootkits on your machine from Sony/BMG CD's.

      This made me wonder if Sony will now sue Microsoft for producing software that circumvents their copy protection.

    21. Re:Erm.....What the hell? by HTH+NE1 · · Score: 4, Funny

      I have met people who do not think about toilet paper and they stink.

      Who needs toilet paper when you have three seashells?

      --
      Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
    22. Re:Erm.....What the hell? by im_thatoneguy · · Score: 4, Interesting

      CLIs are great IF you know the command to launch it.

      What if you type in Word. Do you get MS Word or WordPad or Word Search?

      What if you don't know the program's name ("Writer" comes to mind) but you know it's a part of Open Office? What if you don't know anything about the program but would recognize it if you saw it?

      The list of things on a computer which a person should know the correct command to launch are very few. Vista's: Windows Key -> "Search Phrase" -> Enter. System seems to be the best. You can search or if you can't find it then look through your program list. It's the best of both worlds.

      Now the worst place for a CLI is anywhere the user doesn't know 'what they can do'. If you launch a CL program you're presented with no possibilities. You have no idea what the program can do. It's like driving up to a drive through without a menu. You can start quizing the person on the other end of the little box what they offer but a nice photo menu is the fastest way to absorb data.

  2. get around this? by BigBuckHunter · · Score: 4, Interesting

    @ Will be interesting to see what malware creators do to get around this ..."

    Attrib -w? Flip the Writeprotect dword in StorageDevicePolicies?

    BBH

    1. Re:get around this? by Swizec · · Score: 5, Funny

      You seem to be implying that there is such a thing as a windows machine without malware ...

  3. It's done right in Ubuntu by Benanov · · Score: 5, Insightful

    Not sure exactly what's doing it, but in my Ubuntu and gNewSense installs:

    If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.

    Seemed to be pretty sensible really. I mean *I* inserted the CD, so I expect something to happen.

    1. Re:It's done right in Ubuntu by EvanED · · Score: 5, Informative

      If I insert a CD with autorun files on it or it has an autorun folder, I am prompted that this disc has software on it designed to run automatically, and I am asked what I would like to do about it.

      That's what Vista does too... I actually really like that behavior. It's almost as convenient as autoplay is, but without the security risk. (Well, for good users.)

    2. Re:It's done right in Ubuntu by Anonymous Coward · · Score: 5, Insightful

      The fact that you're using a CD drive as a jewel case pretty much invalidates any opinion you may have on this matter.

  4. In other news... by MachineShedFred · · Score: 4, Funny

    Sony Music has announced a lawsuit against Microsoft using the DMCA, claiming that the new software patch circumvents horribly inadequate copyright protection.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  5. FTFA: by V!NCENT · · Score: 4, Funny

    In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction.

    Whoa...! Wait... they had autorun there too?!?! Dear god...

    --
    Here be signatures
  6. Sony CD by cant_get_a_good_nick · · Score: 4, Insightful

    Didn't Sony install rootkits as part of CD insertion/autoRun? CD-ROMs are a vector for malware.

    Also, I remember some website getting sued because they mentioned how to disable autorun, effectively disabling their anti-copy rubbish. So will Microsoft be sued for removing this?

  7. any USB plug-in device is insecure, period by evangellydonut · · Score: 4, Interesting

    take any USB controller, have it emulate a Human Interface Device (aka keyboard), use it for the keystrokes of "windows, up, up, up, enter, virus-website, enter" and it's game over. you can do the same on Mac, just a tad more difficult.

  8. Play button by fishizzle · · Score: 4, Interesting

    CD-ROMs could have kept the common "Play button" interface from the beginning. Everyone knew this procedure. You insert a VHS into a VCR, you press play. You insert a cassette tape into a Walkman, you press play. CD into a CD player, press play. When the CD-ROM came out, wouldn't it logically follow to insert the CD-ROM, then press the "Play button" to execute any "autorun" functionality? That way it's a user-initiated event, but one that your entire target audience is already going to be familiar with. And the users who weren't intended on "playing" the CD-ROM don't press they play button and can go about, uninterrupted, copying it or navigating the file system as they intended. It's not a huge deal, but I just find it odd that Microsoft's implementation of "Autorun" was the solution to this "problem" back in the day.

  9. Re:Hunt and peck by ProfessionalCookie · · Score: 4, Informative
    To open an app on MacOS X 10.5:
    • command-space (open spot light)
    • type "s" (in this case for safari)
    • Press enter

    This all happens as fast as I type. S is safari, F is firefox, m is mail, p-space-s is photoshop, t-space-m is textmate etc...

    Who still uses the dock??

    And serious kudos to Microsoft for turning off autorun- that blesses me.