Microsoft Kills AutoRun In Windows

aesoteric writes "Microsoft has finally decided to push out an update to disable AutoRun in its XP operating system, a Windows feature that had been increasingly exploited by virus writers over the years. But because Microsoft still sees AutoRun as a feature and not a security hole, it isn't calling its Windows Update a "security update" but rather an "Important, non-security update" — but it effectively disables the AutoRun feature anyway."

Re:AutoRun was always broken

As the inventor of AutoRun (Microsoft even contacted me for prior art when they were sued over it) it saddens me to have it killed off like this.

The original autorunner on the Amiga had a UI element to easily toggle it on/off for a drive, which is about as secure as trusting users not to just click on spyware.exe anyway. You can't protect users from running spyware if they are careless, but you can make it easy for them to control the behavior. Instead Microsoft buried the controls and made it next to impossible to turn off for a particular disk... I think you could disable it by holding shift, or alt, or control, or something. Nobody can remember that and there's no indication that it's working.

Back in the days of swapping actual disks because there was no HD or it was tiny autorun was an awesome tool, and it's still a nice convenience for users to install drivers, etc. It didn't need to be such a security problem like it was on Windows.

Re:Option?

[exomondo]

A file name lolcat.jpg.exe is a mighty tempting thing to double click on. Granted, the user is the vector. But then, the OS is not helping by making it easy to dupe people into thinking a file is an image vs an exe.

If, when UAC pops up to tell the user that the *program* lolcat.jpg.exe is about to make changes to the system, the user still clicks allow/yes/whatever then there's really not much more you can do.