Slashdot Mirror
Microsoft Kills AutoRun In Windows
aesoteric writes "Microsoft has finally decided to push out an update to disable AutoRun in its XP operating system, a Windows feature that had been increasingly exploited by virus writers over the years. But because Microsoft still sees AutoRun as a feature and not a security hole, it isn't calling its Windows Update a "security update" but rather an "Important, non-security update" — but it effectively disables the AutoRun feature anyway."
Would be nice to have the option to enable/disable the feature..
It has been an option for as long as I can remember. It used to be one of the first things I turned off after a new install, right after I turned on the display of File Extensions.
According to the MS article thing on it, that won't happen anymore. Autorun only happens for CD/DVD discs now. In fact this update SPECIFICALLY targets thumb drives for disabling autorun (though it affects all non-disc drives).
This is an update to KB967940, regarding the patch offered in KB971029 going to automatic updates.
I had to look up the numbers, so I thought I'd just share, and save anyone else the trouble.
Whoosh.
Sigh. On a Mac, my drunken bigoted friend, a Mach-O file renamed to foo.jpg will happily run *because* the operating system dives into the file format to figure out how to run it. If I embed the appropriate icon resource in the file it'll even look like your default image viewer is going to open it, and if I subsequently start that image viewer once I've got control you'll never know it wasn't.
That's the security flaw: you can make an icon look to the user like it will only open up the image viewer, when actually arbitrary code will be executed.
Without file extensions being hidden you see foo.jpg.exe and say "that's an exe, I'm not going to run that", even if it has a friendly jpg icon embedded in it.
How we know is more important than what we know.
After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!
The 'autorun on Linux scare' appears to be primarily due to automatically displaying thumbnails of corrupted files which exploit holes in image and video rendering libraries; so Windows is at least as insecure. Windows was far more insecure when it would also happily load a DLL from the USB drive in order to perform that rendering because '.' was first in the DLL search path.
Plus Ubuntu, at least, now seem to be wrapping the thumbnail generators in Apparmor which makes it far more difficult to exploit.
actually the update, which I just downloaded, states in the summary that it disables autorun for all devices except CD and DVD drives. At least it'll kill USB drive viruses and the even worse autolaunching U3 crapware on some USB drives lol.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
AFAIK if you download that mach-o file from a website the resulting downloaded file will not be set to executable automatically, and the "victim" cannot run it.
The victim will have to do the equivalent of chmod +x on it first.
On the other hand if you create an appropriate disk image file and set the mimetype to application/x-apple-diskimage OSX will mount the disk automatically. And if you put the right things in that disk image (like a package), OSX will start the OSX "Installer" to install it.
Depending on the situation or what the user does it may even run some "preinstall" or "installation check" scripts you supply with that package.
This patch turns XP's autorun into the Windows Vista/7 version. The dialog will appear. Right now on XP programs will launch without any user interaction at all...