Slashdot Mirror
Microsoft Kills AutoRun In Windows
aesoteric writes "Microsoft has finally decided to push out an update to disable AutoRun in its XP operating system, a Windows feature that had been increasingly exploited by virus writers over the years. But because Microsoft still sees AutoRun as a feature and not a security hole, it isn't calling its Windows Update a "security update" but rather an "Important, non-security update" — but it effectively disables the AutoRun feature anyway."
did you use autorun to post that?
Ask me about repetitive DNA
After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!
To donate the functionality to Ubuntu. That's nice of them.
Hopefully Ubuntu will do the same thing now.
Would be nice to have the option to enable/disable the feature..
If you do not know how to start a piece of software running, or cannot follow some simple directions to do so, you really have no business using a computer in the first place.
Man, this is just like Sony removing the "Other OS" feature from the PS3. I PAID for Windows XP because of the Auto-Run feature, as I'm sure many others have as well. This is a clear case of bait-and-switch deceptive marketing practicing. I wonder if a legal case could be made...
Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
It's funny that MS disables this right after this article showed up.
When I insert a USB stick, Windows XP opens an AutoPlay window asking me what action to take. If the autorun.inf file is found, the default choice in the AutoPlay window is to run whatever is in autorun.inf. What now? Does XP completely ignore autorun.inf with this update?
;
;
autorun=NelsonMunt.exe
not the same thing this is just taking away auto running you can still run stuff manually and the up date is not forced on you.
XP also has Autoplay which can also be coerced into doing nefarious things. Is that taken care of as well?
I am becoming gerund, destroyer of verbs.
Unless it's from an infected USB drive I guess...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Their CD rootkits won't run automatically
Bet you there's a super-secret way to re-enable autorun on a specific medium for just such reasons
(which will be discovered and exploited by malware writers)
Autorun was one of the main reasons Amiga was the darling of the virus writers and Windows just carried on the tradition. Here it took them two decades to finally throw in the towel. That's stubborn.
Agree. Now Windows is not easy as advertised. I cannot just insert the CD and have it work like magic!
Seriously, autorun is full of shit and i always disabled it when i had a windows workstation. Microsoft is such a bad corporate citizen, it deserve to be sued and sued for all the harm it did. I do hope there is a case for this. For great justice ..or for the LULZ.
I for one think this is a sensible thing to do.
Trolling? Window update is NOT mandatory. You can choose not to install a specific fix and then it will not prompt you for it in the future. It's not like PS3, where you have to update to play online.
This is an update to KB967940, regarding the patch offered in KB971029 going to automatic updates.
I had to look up the numbers, so I thought I'd just share, and save anyone else the trouble.
Whoosh.
That is what I gathered from the article. For instance, you pop your new software disc into the optic drive and are prompted with the installer. This will not happen, post update.
You pop in your external harddrive and are prompted with the installer for the manufacturers proprietary software... Parent was a bad example.
I don't see how the situation would be any better in Vista or Win 7, other than the fact they are theoretically more secure. Or do they "solve" the problem in Vista/Win 7 by popping up a nagging warning box in addition to the silly task window that I never used in XP?
A computer that would run owt from a CD, unchallenged, needs her head's examined (sorry Sian Massey).
Also whoosh.
Since it is not considered a "security update", you can always not install it. Or uninstall it easily from the built in "add/remove programs" menu in the control panel.
This is not remotely the same thing as your strawman argument makes it out to be.
Tequila: It's not just for breakfast anymore!
Interesting that this bugfix was released only for XP. In 7, there's a dialog, but autorun.inf can show anything there, so most users will be just as easily fooled.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Presuming it's mounted as an optical drive, all of the aforementioned are not affected by this update. You have to follow a few links to find it, but...
http://blogs.technet.com/b/msrc/archive/2011/02/04/deeper-insight-into-the-security-advisory-967940-update.aspx
The kernel should include rootkit/trojan protection with frequent updates and comparison of signatures of valid firmware on PCI, AGP, etc. including router firmware. Enough of the malware scanner updates, the system should ship and run with powerful scans each boot, complete with a BIOS checksum verification.
The dirty malware which survives drive wipes hides in BIOS and PCI cards, but how many antiviruses protect against PCI card attacks? Tell me of one and of how they do it, I've noted ZERO so far.
Only when a system and all of its HARDWARE firmware is checked and verified EACH BOOT, should an OS load if security matters at all.
Sadly, how many router and pci cards (and other hardware like dvd drives) ship with checksums and firmware checksums and/or verified gpg signed files?
The state of HARDWARE security is pitiful! Some BIOS allows you to enable protection against writes, but most do not, this in and of itself could be a conspiracy.
When an OS starts and verifies ALL devices attached, prior to autoloading ANYTHING, then and only then will I begin to have faith in the security process of mainstream IT.
The thing that boggles my mind is Apple has 'Open "safe" files after downloading' as the default for Safari (and yes, "safe" is in quotation marks in the preferences)! I have to remember to uncheck it every time I use a new Mac.
Taking guns away from the 99% gives the 1% 100% of the power.
You can pull the autoupdate disable from the optional updates.
Sure, Auto-Run can help execute malicious code. But what's stopping users from navigating to that CD or flash drive and executing the code themselves? Aren't they the ones connecting the devices or putting the disks in their computer in the first place?
I know plenty of people who try to do things like download MP3s, somehow end up downloading and running viruses on their machines instead. I'm kind of seeing this as a similar problem. Unfortunately, there isn't a universally-satisfactory solution to these sorts of incidents on the software level: disabling autorun for everyone will take away the ability to do something like pop in an audio CD and have it play right away. Enforcing the use of antivirus software to catch all potentially malicious code can be taxing on older systems. Blocking the execution of programs when they're starting up until the user clicks an "Allow" button can be frustrating for anyone wanting to perform a few simple tasks. These features may prevent something bad from happening, but until that thing happens, the average user will probably find them to be annoying and disable them. Microsoft seems to think that it's best to hold the hands of those who may not entirely know better and take away this feature completely when they should just make an attempt to educate their users as to why they should be cautious when having auto-run enabled to keep them aware.
Then again, as this is an optional update, I could just be blowing smoke. Still, an update that removes a feature doesn't seem like the optimal solution.
Trolling? Window update is NOT mandatory. You can choose not to install a specific fix and then it will not prompt you for it in the future. It's not like PS3, where you have to update to play online.
Hmmmm.... Seems you must be unable to recognize sarcasm. And here I thought I was humorless. ;)
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
Given that PKI (Public Key Infrastructure) has been around longer than Internet Explorer, I could never understand why autorun.inf files weren't signed. Didn't Microsoft learn from all the problems induced by autorun-like behaviours on Amiga and Macintosh?
Up until about MacOS 8 (I think) the Finder used to automatically execute .CODE resources in files on disk/HDD/CD whenever a new disc came online which is how most Mac viruses got propagated.
I run vista and I'm installing it right now, using windows update. I think the summary's just bad or people focused on XP 'cause so many of the attacks are geared towards it (the computers at my school get infected all the time through USBs).
open source modern art: laser taggi
I've been using sysinternals stuff seemingly forever. Mark Russinovich, he of Sony rootkit fame, has made his utilities available for download since the web was young. Many of the utilities, such as Procmonitor, aren't for neophytes, but Process Explorer and autorun should be on every windows box. Please note I'm not well informed as to the details of the story and am just throwing the above out there should it be of benefit to anyone.
Microsoft designers felt it was too "Ubuntu-like."
it's always something..if it's not one thing it's another..you gotta take the bad with the good...
"Doctors are whippersnappers in ironed white coats
who spy up your rectums and look down your throats
And press you and poke you with sterilized tools
And stab at solutions that pacify fools.
I used to revere them and do what they said
Till I learned what they learned on was already dead."
-poem by Gilda Radner
If it makes you feel any better, you got me to laugh. I didn't seriously think you were standing up for that other company.
Now how the heck do I get the "bonus software" on this hot new pop audio CD from $corporate_label_x to install on my system? Root-kit? what's that? Is that what the dentist uses to perform a root-canal?
Nice of them to FINALLY remove this "feature". Seems a little late now though, you can't even buy machines with Windows XP still on them...
And the villagers rejoiced.
The world is made by those who show up for the job.
Will nobody else say it? Ok, I'll say it without inserting some criticism about the timing, the need for this change, or whatever.
This needed to be done. The patch needed to be the default. The patch is here and it provides an improvement on the Windows experience not only for the Windows users, but for those of us who share an Internet with them.
So thank you, Microsoft, for doing the right thing.
Help stamp out iliturcy.
They've only disabled it for media that appear not to be "optical". CDs, DVDs, and the partitions on "U3" thumb drives that pretend to be CD-ROM drives will still trigger AutoRun. For more authoritative info, see Adam Shostack's blog post: http://blogs.technet.com/b/msrc/archive/2011/02/08/deeper-insight-into-the-security-advisory-967940-update.aspx
non-security updates don't always auto-update. This will remain an attack vector until they declare it a security update.
If you don't kill this, what's to stop a virus from creating the same fake CD-ROM drive and auto-running from there?
[sarcasm] He has auto-sarcasm turned of, you insensitive clod! [/sarcasm]
Autorun is not a bad idea. It has just been badly implemented. MS obviously found it easier to just disable it than to make it secure.
I'm pretty sure you are about to be sued by SONY for using their name in a derogatory manner.
Out of curiousity, would their CD root kit have had any traction, if autorun had already been disabled?
As the others have said, you can not install the update. You can uninstall the update. You can, you know, turn autoplay back on.
But...really? You bought windows for autoplay? I guess clicking on [insert setup.exe-like autorun program here] is too much for some people.
Also...bait and switch on a program released about a decade ago?
Cant find the link in the article. And google returns this http://support.microsoft.com/kb/967715 but that is for network drives.
bad analogy destroys sarcasm. But since you get 5 funny, I have to admit that sometimes bad sarcasm can still be funny sarcasm.
Microsoft had to create autorun because too many people are too stupid to figure out how to navigate somewhere and find the file they need. Seriously.
A couple of years ago I copied a bunch of files onto a CD for my wife's boss. The next day she calls me from work -- he can't figure out how to access the files (this is a guy with some pretty substantial education). So I say "just tell him to copy the files from the CD to his hard drive". He literally had no idea how to do that. I refused to play along and spell out every exact step required and I just kept saying "I don't know any other way to explain it -- just copy the files from the CD to the hard drive." I don't know if he ever did it.
Dude thanks for the belly-laugh. I needed that. ;)
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
Double woosh
Micro$loth
*sigh* We're really still doing this? Honestly?
You're confused about the reason for the feature, as you think it's to cope for ignorance. While that is a useful benefit, the REAL advantage is convenience. If I'm plugging in a USB stick, or inserting a CD or DVD, or anything else, most of the time I WANT something to pop up, to save me a step in enabling it or whatever.
Think of it as a UI feature, rather than a user feature.
Then you can get past your hang-ups and think of ways to make it work safely and effectively. And yes, Microsoft could have done a lot more in that regard to make things work better, but I don't see it just as a software issue. Some of the worst vulnerabilities are hardware ones instead.
you can still run stuff manually
Really? If an autorun menu doesn't pop up what do I do? How do I make the CD, y'know do stuff?
and the up date is not forced on you
Microsoft is pushing it on me. I think my computer gets those automatically. I can't make CD work and you want me to stop the whole of Microsoft pushing an update?
I'm suing.
LOL. Seems to me you need to learn to recognize the difference between ffreeloader and nebaz. Nebaz is the funny man. I'm the humorless guy that can still recognize sarcasm....
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
...a car that would start its engine and ran straight into traffic as soon as anyone sat into it?
It is auto-run after all...
Mit der Dummheit kämpfen Götter selbst vergebens
Don't post as AC, get a nickname. Maybe something with "pompous" in it is available.
Yeah, in a ten-year-old OS. I'd rather the people who might have been implementing a more secure XP Autorun instead do work on W7 or 8.
FC Closer
I just stick an abacus up my asshole.
Turned of what? :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
OR worse yet... what about the annoying message of You need to format the disk in drive X: before you can use it. It is so annoying that everytime I want to plug a HDD with half ext3 half ntfs partitions I have to see that annoying message.
Ubuntu is an African word meaning 'I can't configure Debian'
not the same thing this is just taking away auto running you can still run stuff manually and the up date is not forced on you.
I have a disability that prevents me from manually running stuff from a CD, you insensitive clod!
It doesn't stop autorun on CDs and other shiny media. What it now stops is autorun on portable USB drives and the like. See this El Reg article which is more enlightening than TFA.
A False Positive? Yeah, many autorun applications get that...
ics
I'd give you that if I thought for a second we would see it in 7 or 8.
Please, then, tell me how it is that every Windows network I've ever worked in / on or built in the last 15 years has succumbed to a virus on at least one client sooner or later, even if managed by a huge multi-national company? Could it be that antivirus is actually pretty worthless because it doesn't do its job as advertised?
Back in my previous workplaces, we would refer to it as a "canary". When the antivirus was disabled and stopped talking back to the antivirus consoles on the server, we knew that machine was infected and would require reimaging. Viruses disabling or slipping past the antivirus without any other indication there was something wrong were very common. The antivirus itself ever only detected false positives and/or very trivial, fleeting "viruses" like a javascript malware page that only worked in IE (and we weren't using IE - it just saw it in the Firefox cache!).
Antivirus is snake-oil. If you're relying on that to protect you against malware, good luck. Chances are that your antivirus will *not* catch the majority of viruses that you're likely to encounter. Go check out the statistics on VirusTotal.com - most antivirus programs, even the most up-to-date, can't even detect viruses that other antivirus do, let alone all the ones that sneak past ALL antivirus packages.
Antivirus is a tool, not a cure. It's useful for detecting an existing virus infection. It does *not* prevent it, by any means. However, autorun being off can *totally* prevent an autorun-distributed virus.
Viruses *work* by deliberately crashing, hanging, exploiting, etc. programs into order to execute code - in the process they then want to download more code, store it, modify the disk, trampoline onto another saved executable, etc. By the time something hits the disk, the virus is already executing, by the time something appears in the process list, the virus is already executing - and it *doesn't* necessarily mean that at any point any antivirus "hook" (like disk reads/writes, etc.) would even execute.
Antivirus, generally, doesn't stop virus infections, it merely detects and/or cleans them. Decent security procedure (and proper programming) is the only thing that *stops* a virus - firewalls, least-privilege and turning off crap that wants to execute code.
eventually
Am I misunderstanding something here ? I thought that disabeling that was a just question of altering a registry-key. I did, and was never bothered by self-starting USB or CD media again.
http://antivirus.about.com/od/securitytips/ht/autorun.htm
How do I make the CD, y'know do stuff?
You stroke it's back and ask really nicely.
Microsoft is pushing it on me.
Because they love you.
That's why UAC was ripped a new one when it came out and nearly every day since: it pops up FAR TOO OFTEN. Therefore the user (again the vector), gets used to clicking "OK" on the UAC prompt because they had to do that to even mount the USB drive.
UAC only helps if it is uncommon enough to be an ACTUAL warning, not just a pain in the arse you have to click over and over again to work on your machine as you intended.
Remove the "hide file extension" stupidity that makes it easy for trojans to get ran.
Honestly, the manager that green-lighted that feature and continues to make it exist in the OS needs to be fired, tarred, feathered, and then put in stockades so the rest of us can do what we want to him.
Do not look at laser with remaining good eye.
You sir are what we call in the IT world as a....
N00B.
Please come back when you actually know something about computers.
Do not look at laser with remaining good eye.
So Linux guys, be happy where you are. Drop to your knees and thank RMS that Linux is still CLI heavy in Ubuntu if anything goes wrong, and the whole Linux setup seems "too hard" for the average Windows user. Be glad, oh dear Lord be glad. Because if you ever manage to lure them over the malware writers will be right behind them and your pretty OS will be turned into a giant festering turd.
Bad news, I switched my mom and my sister (a deadly living weapon of indiscriminate cyber-destruction) over years ago, neither of them have had any trouble or know what the hell a CLI is :-(
I think I may have triggered the Linuxpocalypse O_O
"When information is power, privacy is freedom" - Jah-Wren Ryel
man, they have serious issues.
microshaft needs to see a psychiatrist.
"AutoRun isn't an accident -- it's by design, and as I mentioned we care about the very real positive uses of the feature. In other words, in a very real sense, it's not a bug, it's a feature," said Adam Shostack, a Microsoft security program manager.
I /knew/ this is how Microsoft thought about its security holes.
...Windows had a decent security model. The automatically run software shouldn't have write access to anything, in the first place, unless the user explicitly says so.
They need to also by default show file extensions in explorer.
Details can be found in the documentation
Example:
[Settings]
AutoRunInf=1
AutoRunKey=MySecretKey
delay=2000
[Settings]
AutorunInfRestricted=1
This checks for "MySecretKey" in the autorun.ini file. If the key is found, it waits 2 seconds and then executes the autorun.ini file, but with reduced privileges.
Autorun is a bad idea. There is reason for 'insering a cd' =='do what ever is instructed on it'. Remember that it was also the mean of the sony root kit.
It entierly depend on the good will of the maker of the cd. Anyone can write removable media and the one that use profesional press are know to not be reliable. This is not just bad implementation, it is no implementation.
Note that autorun is not prompting the user about what to do when a media is inserted. It is the blind execution of what ever is in autorun.inf. There is no correct implementation of this.
Should have been done from the get go on windows 95...seriously, how much code does it take to say default autorun=NO!
lol i'm sure everyone when they purchase a pc with windows is thinking, "gee, i'm sure glad they have that autorun feature!" last i checked autorun is what makes ur pc so damn slow when booting up cuz i loads all this bloatware at startup- printer, sound, graphics, adobe stuff, microsoft stuff, blah blah blah blah. ... and THEN there are those viruses which take advantage of this. it should have been done earlier. all autorun generally does is make programs load faster when you start them for the first time.
and haruchai's comment about help desk? are y'all too stupid to understand what autorun accomplishes? hint.. if you're too lazy to open a program when it first boots, you can always put a link on your desktop so you don't have to search through the start menu! if you're too stupid... well i guess that doesn't make you much different than nearly every other american i've met.
Although everybody keeps saying that it will display "MyPhoto.jpg.exe" as "MyPhoto.jpg" and thus mislead people, while I certainly admit it is quite likely, I am confused why the MS defenders don't point out that it should not confuse people because a real "MyPhoto.jpg" would display as "MyPhoto" and thus be different than the bogus file.
Can somebody explain this?
If in fact it deletes the entire ".jpg.exe" it would explain confusion, but then it means MS is using different rules in different parts of the code (ie it uses only the ".exe" rather than ".jpg.exe" to figure out what to do) which I think is far stupider than I believe even they would have done in the dark ages of 1990 or whenever they started this...
i understand if clicking Start-> My Computer -> Right-clicking on CD-Rom Drive and clicking Run/Open is too complicated for you... three steps is generally 2 more than the average lazy person is willing to take...
You jest, but it's likely the change diables Autorun by default rather than actually removes it. Removing (or adding) features is a difficult task, especially in Windows. Things can break in the oddest places when you remove the code. Heck, it's so bad that Microsoft will often do binary-patches rather than re-link executables (apparently they've been burned by relinking and processor errata).
Plus, who knows how many companies require Autorun to actually work for some of their processes. Scary, but true.
Heck, we're bound to see people complain about the new default off setting.
What a coincidence! Where I work we have nifty little software utilities called Antivirus Programs too. (Disclaimer: I haven't personally run one of these nifty utilities on my own computer in a number of years, but I've had to help many people who do run them regularly). It is hard to tell how well they work, because we don't seem to regularly work with infected discs or drives like you do (I do wonder how you manage to get all these infected media, but I digress), but I have noticed that these utilities are very good at promoting contemplation. Some of our computers get so slow that it gives the users time to contemplate what they are working on, or what they are writing.
One of our users found that their nifty utility would no longer update itself, and he was advised to reinstall. The installer would hang, so some friendly people overseas advised him to remove the software and reinstall. It seems that the software did not want to completely uninstall, so the friendly people overseas sent him a super-secret nifty program to completely remove the software. Well, that software couldn't uninstall it either, so the friendly people from lands afar used some magic software to take control of this computer so that they could run the same un-installer. After that, the computer would not reboot into Windows. When these friendly people were contacted, their response was "If your computer cannot boot after our software was removed, then it obviously is a problem with the operating system and you need to contact your operating system vendor."
I have another very amusing story about another person who apparently did not fully appreciate all the contemplative time he was being given by his nifty utility, so he decided to switch to a different vendor who provided their own nifty utility software. Well, maybe it's more like one of those "some day we'll look back on this and laugh" kind of story.
Tada! Problem solved.
Well, maybe that problem was solved ...
Amiga had a "disk inserted" event, which would often trigger programs looking for the event, such as Workbench, to look at the just-inserted disk to see what was on it. But except for initially booting the system, Amiga would never load and run code off a disk merely because you inserted it.
Schwab
Editor, A1-AAA AmeriCaptions
...to the malware. The autorun worm running around on our network places shortcuts to itself on the root of the flash drive. It hides (attrib +h) the users original files, then creates shortcuts to the files (which really point to itself). It also creates other shortcuts links like Passwords, Music, Pictures, but they all link to the executable on the flash drive.
Even with autorun disabled, users will double-click the shortcut to their document, thinking it's their document they are opening, but it runs the malware instead.
Bait and switch 8ish years later is hardly a bait and switch....
Not true. Auto run does NOT have to be 'insering a cd' =='do what ever is instructed on it'. That is the discription of badly implemented autorun. Autorun doesn't have to be any more dangerous than surfing the web. In fact in all ways, a system that takes equal care in security will always be more vulnerable via the web.
Autorun done right would still play music and video automatically. If there is a security hole in the audio or video codecs, you are already screwed by having a web browser, as that is a dramatically easier way to deliver those payloads. For executibles, instead of blindly running any executable on the disk, OS should supply the splash screen/menu that virtually all legitimate software has. By having the OS supply the splash menu and only use text and graphics from the removable media, again are no more at risk that being on the internet. You are dramatically safer, as the splash menu can be dramatically simpler than a web browser, and thus has less surface to have attack vectors. The splash menu can checksum the and with the users permission allow all future attempts to run without user intervention. Since the user was asked if they want to run the full executable, you are in no greater risk than if the user launches the executable by hand.
When you opened this page, code was Autorun on your system. Autorun from removable media does not have to be any more dangerous that reading Slashdot.
Yes, but in a moment of no concern, I hit the Install Updates button but this patch(1026) was not auto-applied.
The update came back to me, I could not apply until I read the data.
I hid this update!
Thanks for posting that this was not a security issue....
Don't you think...? Or don't you?
I a day where HR wants us to be more than three people and work for less than one person, Microsoft is becoming less and less, then charging more and more! Moving Microsoft offshore to India or then CHina will not save its demise. The trend is to move to something that give more and more for free. The JAVA box cometh for all the Fffffuuuuckers!
M$ will keep having trouble until their "boilerplates" are made from good American steel rather than the shoddy and communist Chinese crap. Windows is such a crap pile that you can actually compost your garden with it. Trouble is all plants fertilized by Windows are subject to GATES EULA and you can't eat them unless you have a valid license.
"Any sufficiently advanced technology is indistinguishable from magic." - Arthur C. Clarke
That is not autorun. Autorun is execution of arbitary code specified in autorun.inf. Also what you discribe is not a autorun but a multimedia 'icon'. All of this are interesting ideas but they do not constitude an autorun.
When i loaded this page, i loaded code to be executed. Inserting a removabole media is not loading code.
Doing presentation spash screen in sand boxe is very useless and do not corespond to what microsoft intended with the autorun hack.
http://en.wikipedia.org/wiki/Autorun
AutoRun was introduced in Windows 95 to ease application installation for non-technical users and reduce the cost of software support calls. When an appropriately configured CD-ROM is inserted into a CD-ROM drive, Windows detects the arrival and checks the contents for a special file containing a set of instructions. For a commercial application, these instructions normally initiate installation of the software from the CD-ROM. To maximise the likelihood of installation success, AutoRun also acts when the drive is accessed ("double-clicked") in Windows Explorer (or "My Computer").
For this to work as intended it need to be able to run arbitary code at the loged user id or system administrator, or be able to escalate to system administrator.
Without that autorun bullshit, audio cd will still play, photo import will still start and lame flash animation could still be played if configured corectly.
There is no correct implementation of autorun. It cannot be fixed. You obviously dont know what it is.
On slashdot, ignorant are insightful.
Man, this is just like Sony removing the "Other OS" feature from the PS3. I PAID for Windows XP because of the Auto-Run feature, as I'm sure many others have as well. This is a clear case of bait-and-switch deceptive marketing practicing. I wonder if a legal case could be made...
Really? You paid for XP because of the Auto-run feature...
I wonder if a legal case can be made for committing you to an asylum...
You are being pedantic about the definition of 'Autorun'. By your definition, the report earlier of an Autorun exploits on Linux was completely wrong because if it is running on Linux, and is not executing arbitrary code specified in autorun.ini. You are using a different definition of Autorun than pretty much everyone else. Autorun is being used as a generic description of having stuff happen on your computer automatically when you insert a disk. Even differentiating between Autorun and Autoplay is just pointing to different shades of gray, as Autoplaying a DVD does launch code, as virtually every single commercial DVD has code in it, and 'autoplay' launches that code.
If you take a step back and look at what is trying to be accomplished by autorun, it can easily be tweaked to to offer 99.9 % of the functionality, while removing all of the security risks that don't already exist in your web browser.
You are wrong also wrong about your definition of loading code. If putting a inserting removable media into your computer makes code load, then inserting media into your computer is loading code. Just as putting a DVD into an XBox is 'loading the game'. So, my statement still stands that you are loading code either way. And, even if loading a web page IS loading code and putting in media isn't, it only points out how lame it is to complain about the existance of autorun when you are running code implemented by unknown sources on your computer every day.
You are wrong. Autorun is used on every single console ever released that has removable media. Every single one.
Runing the right application base on what media was inserted is like associng a file type with some app. It do not execute what is on the media, it merely pass the data to a pre-installed application that is authorized and configured for that purpose. The removable media is treated like data, it is not code. It is not autorun.
Autorun is a microsoft invention and i think their diffinition of this "technology" is the right one...
Only if by autorun you mean automaticly run any piece of code when a phisical media in inserted/contect. Then yes, console use autorun.
Unfortunatly you are a moron. The autorun in this case is the microsoft's autorun.inf on the media root. It is not the same thing. Removable media on PC are data. On a console it a game. Not program, not data but "game" which happen to be a mix of both data and code like all thing in computing.
Funny, my atari 2600 would disagree with you, so would my DVD playing software.
Please. No one on Slashdot PAID for Windows XP.