Slashdot Mirror
Microsoft Kills AutoRun In Windows
aesoteric writes "Microsoft has finally decided to push out an update to disable AutoRun in its XP operating system, a Windows feature that had been increasingly exploited by virus writers over the years. But because Microsoft still sees AutoRun as a feature and not a security hole, it isn't calling its Windows Update a "security update" but rather an "Important, non-security update" — but it effectively disables the AutoRun feature anyway."
did you use autorun to post that?
Ask me about repetitive DNA
After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!
To donate the functionality to Ubuntu. That's nice of them.
Hopefully Ubuntu will do the same thing now.
Would be nice to have the option to enable/disable the feature..
If you do not know how to start a piece of software running, or cannot follow some simple directions to do so, you really have no business using a computer in the first place.
Man, this is just like Sony removing the "Other OS" feature from the PS3. I PAID for Windows XP because of the Auto-Run feature, as I'm sure many others have as well. This is a clear case of bait-and-switch deceptive marketing practicing. I wonder if a legal case could be made...
Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
When I insert a USB stick, Windows XP opens an AutoPlay window asking me what action to take. If the autorun.inf file is found, the default choice in the AutoPlay window is to run whatever is in autorun.inf. What now? Does XP completely ignore autorun.inf with this update?
not the same thing this is just taking away auto running you can still run stuff manually and the up date is not forced on you.
XP also has Autoplay which can also be coerced into doing nefarious things. Is that taken care of as well?
I am becoming gerund, destroyer of verbs.
Unless it's from an infected USB drive I guess...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Their CD rootkits won't run automatically
Bet you there's a super-secret way to re-enable autorun on a specific medium for just such reasons
(which will be discovered and exploited by malware writers)
I for one think this is a sensible thing to do.
Trolling? Window update is NOT mandatory. You can choose not to install a specific fix and then it will not prompt you for it in the future. It's not like PS3, where you have to update to play online.
This is an update to KB967940, regarding the patch offered in KB971029 going to automatic updates.
I had to look up the numbers, so I thought I'd just share, and save anyone else the trouble.
Whoosh.
That is what I gathered from the article. For instance, you pop your new software disc into the optic drive and are prompted with the installer. This will not happen, post update.
You pop in your external harddrive and are prompted with the installer for the manufacturers proprietary software... Parent was a bad example.
A computer that would run owt from a CD, unchallenged, needs her head's examined (sorry Sian Massey).
Interesting that this bugfix was released only for XP. In 7, there's a dialog, but autorun.inf can show anything there, so most users will be just as easily fooled.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
The thing that boggles my mind is Apple has 'Open "safe" files after downloading' as the default for Safari (and yes, "safe" is in quotation marks in the preferences)! I have to remember to uncheck it every time I use a new Mac.
Taking guns away from the 99% gives the 1% 100% of the power.
Sure, Auto-Run can help execute malicious code. But what's stopping users from navigating to that CD or flash drive and executing the code themselves? Aren't they the ones connecting the devices or putting the disks in their computer in the first place?
I know plenty of people who try to do things like download MP3s, somehow end up downloading and running viruses on their machines instead. I'm kind of seeing this as a similar problem. Unfortunately, there isn't a universally-satisfactory solution to these sorts of incidents on the software level: disabling autorun for everyone will take away the ability to do something like pop in an audio CD and have it play right away. Enforcing the use of antivirus software to catch all potentially malicious code can be taxing on older systems. Blocking the execution of programs when they're starting up until the user clicks an "Allow" button can be frustrating for anyone wanting to perform a few simple tasks. These features may prevent something bad from happening, but until that thing happens, the average user will probably find them to be annoying and disable them. Microsoft seems to think that it's best to hold the hands of those who may not entirely know better and take away this feature completely when they should just make an attempt to educate their users as to why they should be cautious when having auto-run enabled to keep them aware.
Then again, as this is an optional update, I could just be blowing smoke. Still, an update that removes a feature doesn't seem like the optimal solution.
Trolling? Window update is NOT mandatory. You can choose not to install a specific fix and then it will not prompt you for it in the future. It's not like PS3, where you have to update to play online.
Hmmmm.... Seems you must be unable to recognize sarcasm. And here I thought I was humorless. ;)
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
Given that PKI (Public Key Infrastructure) has been around longer than Internet Explorer, I could never understand why autorun.inf files weren't signed. Didn't Microsoft learn from all the problems induced by autorun-like behaviours on Amiga and Macintosh?
Up until about MacOS 8 (I think) the Finder used to automatically execute .CODE resources in files on disk/HDD/CD whenever a new disc came online which is how most Mac viruses got propagated.
I run vista and I'm installing it right now, using windows update. I think the summary's just bad or people focused on XP 'cause so many of the attacks are geared towards it (the computers at my school get infected all the time through USBs).
open source modern art: laser taggi
And the villagers rejoiced.
The world is made by those who show up for the job.
Will nobody else say it? Ok, I'll say it without inserting some criticism about the timing, the need for this change, or whatever.
This needed to be done. The patch needed to be the default. The patch is here and it provides an improvement on the Windows experience not only for the Windows users, but for those of us who share an Internet with them.
So thank you, Microsoft, for doing the right thing.
Help stamp out iliturcy.
One might even suggest it wasn't a coincidence, but that would be absurd!
Great Intellect...
non-security updates don't always auto-update. This will remain an attack vector until they declare it a security update.
Blue Pill.
[sarcasm] He has auto-sarcasm turned of, you insensitive clod! [/sarcasm]
Autorun is not a bad idea. It has just been badly implemented. MS obviously found it easier to just disable it than to make it secure.
It's funny that MS disables this right after this article showed up.
I think it's funnier that MS disables it two years after this article. http://tech.slashdot.org/story/09/04/29/2110241/Microsoft-To-Disable-Autorun
And years after Microsoft admitted that their suggested methods of disbling autorun didn't really disable autorun at all. http://it.slashdot.org/comments.pl?sid=1038167&cid=25850755
bad analogy destroys sarcasm. But since you get 5 funny, I have to admit that sometimes bad sarcasm can still be funny sarcasm.
Except that TFA says that what MSFT did was to backport the Vista change to XP (which it did two years ago). It's been available for XP all that time. What's changed is that they've collected enough data to make them believe that pushing it to more users is a good thing.
When MSFT first announced they were disabling autorun on Win7, people screamed that the world was going to end. Well, it didn't.
Part of the reason that they were able to make this change is that they've had two years of operational experience with Windows 7 where nothing horrible happened.
There's a decent post on the MSRC blog that describes the logic behind the change.
Microsoft had to create autorun because too many people are too stupid to figure out how to navigate somewhere and find the file they need. Seriously.
A couple of years ago I copied a bunch of files onto a CD for my wife's boss. The next day she calls me from work -- he can't figure out how to access the files (this is a guy with some pretty substantial education). So I say "just tell him to copy the files from the CD to his hard drive". He literally had no idea how to do that. I refused to play along and spell out every exact step required and I just kept saying "I don't know any other way to explain it -- just copy the files from the CD to the hard drive." I don't know if he ever did it.
Creating a fake optical drive requires hardware support. However, it is true that nothing prevents a virus from replacing the U3 drive's ISO with malware, which would then autorun. For some crazy reason, on most U3 drives the ISO is stored in flash and is updatable, although they don't make it particularly easy to discover how to write a new image.
Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
U3 enabled flash drives emulate a CD-ROM from the *hardware* level - it's not just software on the drive, but actually seems to appear on the USB bus as a CD-ROM as well as a flash drive. So a virus on a standard flash drive couldn't do this. Perhaps the contents of the emulated CD-ROM on a U3 drive could be hacked to load a virus, but that part of the drive is not user-writable in any apparent way, so it wouldn't be trivial.
Dude thanks for the belly-laugh. I needed that. ;)
Mod points: Guaranteed to remove your sense of humor.
Side effects may include gullibility and temporary retardation
Because autorun doesn't happen by default in Vista and Win 7. That "task window" you mention appears for media that would have autorun in previous editions of Windows, and basically removes the security problems.
And if you found it naggy then turn it off. Personally, I really like it. And I think the moving of the autorun functionality to the task window is a pretty good compromise between the convenience aspect of autorun and the security enhancement of not autorunning.
About the only thing that immediately comes to mind in terms of what I would improve is to add the ability to say "always take this action for this particular volume". Then I could tell it to never do anything when I plug in my camera for instance, but to open that dialog when I put in my USB stick. I don't know how to do that.
you can still run stuff manually
Really? If an autorun menu doesn't pop up what do I do? How do I make the CD, y'know do stuff?
and the up date is not forced on you
Microsoft is pushing it on me. I think my computer gets those automatically. I can't make CD work and you want me to stop the whole of Microsoft pushing an update?
I'm suing.
LOL. Seems to me you need to learn to recognize the difference between ffreeloader and nebaz. Nebaz is the funny man. I'm the humorless guy that can still recognize sarcasm....
"while democracy seeks equality in liberty, socialism seeks equality in restraint and servitude." de Tocqueville
...a car that would start its engine and ran straight into traffic as soon as anyone sat into it?
It is auto-run after all...
Mit der Dummheit kämpfen Götter selbst vergebens
Don't post as AC, get a nickname. Maybe something with "pompous" in it is available.
At which point, it's probably easier to simply burn a CDR with the virus on it.
Yeah, in a ten-year-old OS. I'd rather the people who might have been implementing a more secure XP Autorun instead do work on W7 or 8.
FC Closer
Turned of what? :P
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
OR worse yet... what about the annoying message of You need to format the disk in drive X: before you can use it. It is so annoying that everytime I want to plug a HDD with half ext3 half ntfs partitions I have to see that annoying message.
Ubuntu is an African word meaning 'I can't configure Debian'
It doesn't stop autorun on CDs and other shiny media. What it now stops is autorun on portable USB drives and the like. See this El Reg article which is more enlightening than TFA.
A False Positive? Yeah, many autorun applications get that...
ics
I'd give you that if I thought for a second we would see it in 7 or 8.
Please, then, tell me how it is that every Windows network I've ever worked in / on or built in the last 15 years has succumbed to a virus on at least one client sooner or later, even if managed by a huge multi-national company? Could it be that antivirus is actually pretty worthless because it doesn't do its job as advertised?
Back in my previous workplaces, we would refer to it as a "canary". When the antivirus was disabled and stopped talking back to the antivirus consoles on the server, we knew that machine was infected and would require reimaging. Viruses disabling or slipping past the antivirus without any other indication there was something wrong were very common. The antivirus itself ever only detected false positives and/or very trivial, fleeting "viruses" like a javascript malware page that only worked in IE (and we weren't using IE - it just saw it in the Firefox cache!).
Antivirus is snake-oil. If you're relying on that to protect you against malware, good luck. Chances are that your antivirus will *not* catch the majority of viruses that you're likely to encounter. Go check out the statistics on VirusTotal.com - most antivirus programs, even the most up-to-date, can't even detect viruses that other antivirus do, let alone all the ones that sneak past ALL antivirus packages.
Antivirus is a tool, not a cure. It's useful for detecting an existing virus infection. It does *not* prevent it, by any means. However, autorun being off can *totally* prevent an autorun-distributed virus.
Viruses *work* by deliberately crashing, hanging, exploiting, etc. programs into order to execute code - in the process they then want to download more code, store it, modify the disk, trampoline onto another saved executable, etc. By the time something hits the disk, the virus is already executing, by the time something appears in the process list, the virus is already executing - and it *doesn't* necessarily mean that at any point any antivirus "hook" (like disk reads/writes, etc.) would even execute.
Antivirus, generally, doesn't stop virus infections, it merely detects and/or cleans them. Decent security procedure (and proper programming) is the only thing that *stops* a virus - firewalls, least-privilege and turning off crap that wants to execute code.
Remove the "hide file extension" stupidity that makes it easy for trojans to get ran.
Honestly, the manager that green-lighted that feature and continues to make it exist in the OS needs to be fired, tarred, feathered, and then put in stockades so the rest of us can do what we want to him.
Do not look at laser with remaining good eye.
You sir are what we call in the IT world as a....
N00B.
Please come back when you actually know something about computers.
Do not look at laser with remaining good eye.
So Linux guys, be happy where you are. Drop to your knees and thank RMS that Linux is still CLI heavy in Ubuntu if anything goes wrong, and the whole Linux setup seems "too hard" for the average Windows user. Be glad, oh dear Lord be glad. Because if you ever manage to lure them over the malware writers will be right behind them and your pretty OS will be turned into a giant festering turd.
Bad news, I switched my mom and my sister (a deadly living weapon of indiscriminate cyber-destruction) over years ago, neither of them have had any trouble or know what the hell a CLI is :-(
I think I may have triggered the Linuxpocalypse O_O
"When information is power, privacy is freedom" - Jah-Wren Ryel
...Windows had a decent security model. The automatically run software shouldn't have write access to anything, in the first place, unless the user explicitly says so.
They need to also by default show file extensions in explorer.
Details can be found in the documentation
Example:
[Settings]
AutoRunInf=1
AutoRunKey=MySecretKey
delay=2000
[Settings]
AutorunInfRestricted=1
This checks for "MySecretKey" in the autorun.ini file. If the key is found, it waits 2 seconds and then executes the autorun.ini file, but with reduced privileges.
You must start working for the RIAA then, they constantly pull numbers out of their asses...
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
Autorun is a bad idea. There is reason for 'insering a cd' =='do what ever is instructed on it'. Remember that it was also the mean of the sony root kit.
It entierly depend on the good will of the maker of the cd. Anyone can write removable media and the one that use profesional press are know to not be reliable. This is not just bad implementation, it is no implementation.
Note that autorun is not prompting the user about what to do when a media is inserted. It is the blind execution of what ever is in autorun.inf. There is no correct implementation of this.
Should have been done from the get go on windows 95...seriously, how much code does it take to say default autorun=NO!
lol i'm sure everyone when they purchase a pc with windows is thinking, "gee, i'm sure glad they have that autorun feature!" last i checked autorun is what makes ur pc so damn slow when booting up cuz i loads all this bloatware at startup- printer, sound, graphics, adobe stuff, microsoft stuff, blah blah blah blah. ... and THEN there are those viruses which take advantage of this. it should have been done earlier. all autorun generally does is make programs load faster when you start them for the first time.
and haruchai's comment about help desk? are y'all too stupid to understand what autorun accomplishes? hint.. if you're too lazy to open a program when it first boots, you can always put a link on your desktop so you don't have to search through the start menu! if you're too stupid... well i guess that doesn't make you much different than nearly every other american i've met.
Although everybody keeps saying that it will display "MyPhoto.jpg.exe" as "MyPhoto.jpg" and thus mislead people, while I certainly admit it is quite likely, I am confused why the MS defenders don't point out that it should not confuse people because a real "MyPhoto.jpg" would display as "MyPhoto" and thus be different than the bogus file.
Can somebody explain this?
If in fact it deletes the entire ".jpg.exe" it would explain confusion, but then it means MS is using different rules in different parts of the code (ie it uses only the ".exe" rather than ".jpg.exe" to figure out what to do) which I think is far stupider than I believe even they would have done in the dark ages of 1990 or whenever they started this...
i understand if clicking Start-> My Computer -> Right-clicking on CD-Rom Drive and clicking Run/Open is too complicated for you... three steps is generally 2 more than the average lazy person is willing to take...
You jest, but it's likely the change diables Autorun by default rather than actually removes it. Removing (or adding) features is a difficult task, especially in Windows. Things can break in the oddest places when you remove the code. Heck, it's so bad that Microsoft will often do binary-patches rather than re-link executables (apparently they've been burned by relinking and processor errata).
Plus, who knows how many companies require Autorun to actually work for some of their processes. Scary, but true.
Heck, we're bound to see people complain about the new default off setting.
What a coincidence! Where I work we have nifty little software utilities called Antivirus Programs too. (Disclaimer: I haven't personally run one of these nifty utilities on my own computer in a number of years, but I've had to help many people who do run them regularly). It is hard to tell how well they work, because we don't seem to regularly work with infected discs or drives like you do (I do wonder how you manage to get all these infected media, but I digress), but I have noticed that these utilities are very good at promoting contemplation. Some of our computers get so slow that it gives the users time to contemplate what they are working on, or what they are writing.
One of our users found that their nifty utility would no longer update itself, and he was advised to reinstall. The installer would hang, so some friendly people overseas advised him to remove the software and reinstall. It seems that the software did not want to completely uninstall, so the friendly people overseas sent him a super-secret nifty program to completely remove the software. Well, that software couldn't uninstall it either, so the friendly people from lands afar used some magic software to take control of this computer so that they could run the same un-installer. After that, the computer would not reboot into Windows. When these friendly people were contacted, their response was "If your computer cannot boot after our software was removed, then it obviously is a problem with the operating system and you need to contact your operating system vendor."
I have another very amusing story about another person who apparently did not fully appreciate all the contemplative time he was being given by his nifty utility, so he decided to switch to a different vendor who provided their own nifty utility software. Well, maybe it's more like one of those "some day we'll look back on this and laugh" kind of story.
Tada! Problem solved.
Well, maybe that problem was solved ...
It's obvious why you're an AC -- you have no smegging idea what you're talking about.
Amiga had autorun to the same extent DOS did. There was a bootblock that contained a small snippet of binary code to get the machine booted and running. This bootblock was not accessible via the filesystem, and only specialized tools could write there.
In other words, it was exactly analogous to the bootblock/partition table that's on the hard disk you have today.
Yes, virus writers exploited this feature on Amiga, exactly as they exploited it on DOS and Windows.
Schwab
Editor, A1-AAA AmeriCaptions
Amiga had a "disk inserted" event, which would often trigger programs looking for the event, such as Workbench, to look at the just-inserted disk to see what was on it. But except for initially booting the system, Amiga would never load and run code off a disk merely because you inserted it.
Schwab
Editor, A1-AAA AmeriCaptions
Not true. Auto run does NOT have to be 'insering a cd' =='do what ever is instructed on it'. That is the discription of badly implemented autorun. Autorun doesn't have to be any more dangerous than surfing the web. In fact in all ways, a system that takes equal care in security will always be more vulnerable via the web.
Autorun done right would still play music and video automatically. If there is a security hole in the audio or video codecs, you are already screwed by having a web browser, as that is a dramatically easier way to deliver those payloads. For executibles, instead of blindly running any executable on the disk, OS should supply the splash screen/menu that virtually all legitimate software has. By having the OS supply the splash menu and only use text and graphics from the removable media, again are no more at risk that being on the internet. You are dramatically safer, as the splash menu can be dramatically simpler than a web browser, and thus has less surface to have attack vectors. The splash menu can checksum the and with the users permission allow all future attempts to run without user intervention. Since the user was asked if they want to run the full executable, you are in no greater risk than if the user launches the executable by hand.
When you opened this page, code was Autorun on your system. Autorun from removable media does not have to be any more dangerous that reading Slashdot.
Yes, but in a moment of no concern, I hit the Install Updates button but this patch(1026) was not auto-applied.
The update came back to me, I could not apply until I read the data.
I hid this update!
Thanks for posting that this was not a security issue....
Don't you think...? Or don't you?
M$ will keep having trouble until their "boilerplates" are made from good American steel rather than the shoddy and communist Chinese crap. Windows is such a crap pile that you can actually compost your garden with it. Trouble is all plants fertilized by Windows are subject to GATES EULA and you can't eat them unless you have a valid license.
"Any sufficiently advanced technology is indistinguishable from magic." - Arthur C. Clarke
That is not autorun. Autorun is execution of arbitary code specified in autorun.inf. Also what you discribe is not a autorun but a multimedia 'icon'. All of this are interesting ideas but they do not constitude an autorun.
When i loaded this page, i loaded code to be executed. Inserting a removabole media is not loading code.
Doing presentation spash screen in sand boxe is very useless and do not corespond to what microsoft intended with the autorun hack.
http://en.wikipedia.org/wiki/Autorun
AutoRun was introduced in Windows 95 to ease application installation for non-technical users and reduce the cost of software support calls. When an appropriately configured CD-ROM is inserted into a CD-ROM drive, Windows detects the arrival and checks the contents for a special file containing a set of instructions. For a commercial application, these instructions normally initiate installation of the software from the CD-ROM. To maximise the likelihood of installation success, AutoRun also acts when the drive is accessed ("double-clicked") in Windows Explorer (or "My Computer").
For this to work as intended it need to be able to run arbitary code at the loged user id or system administrator, or be able to escalate to system administrator.
Without that autorun bullshit, audio cd will still play, photo import will still start and lame flash animation could still be played if configured corectly.
You are being pedantic about the definition of 'Autorun'. By your definition, the report earlier of an Autorun exploits on Linux was completely wrong because if it is running on Linux, and is not executing arbitrary code specified in autorun.ini. You are using a different definition of Autorun than pretty much everyone else. Autorun is being used as a generic description of having stuff happen on your computer automatically when you insert a disk. Even differentiating between Autorun and Autoplay is just pointing to different shades of gray, as Autoplaying a DVD does launch code, as virtually every single commercial DVD has code in it, and 'autoplay' launches that code.
If you take a step back and look at what is trying to be accomplished by autorun, it can easily be tweaked to to offer 99.9 % of the functionality, while removing all of the security risks that don't already exist in your web browser.
You are wrong also wrong about your definition of loading code. If putting a inserting removable media into your computer makes code load, then inserting media into your computer is loading code. Just as putting a DVD into an XBox is 'loading the game'. So, my statement still stands that you are loading code either way. And, even if loading a web page IS loading code and putting in media isn't, it only points out how lame it is to complain about the existance of autorun when you are running code implemented by unknown sources on your computer every day.
You are wrong. Autorun is used on every single console ever released that has removable media. Every single one.
Being able to permanently authorize a volume would make it 99.9% as convenient as not having the dialog box at all, and would give 100% of the security.
Why, do your pressed CDs regularly change their contents?
Runing the right application base on what media was inserted is like associng a file type with some app. It do not execute what is on the media, it merely pass the data to a pre-installed application that is authorized and configured for that purpose. The removable media is treated like data, it is not code. It is not autorun.
Autorun is a microsoft invention and i think their diffinition of this "technology" is the right one...
Sorry, I miss spoke. I should not have said "at all". I meant that if you could authorize the volume, you would not need the dialog AFTER that. I was agreeing with you.
Funny, my atari 2600 would disagree with you, so would my DVD playing software.
Ah, no worries. I see what you meant... I read the "and 100% of the security" as a bit of sarcasm, and referring to "100% of the sarcasm of the old XP way (not having the dialog box)."