Microsoft Kills AutoRun In Windows

aesoteric writes "Microsoft has finally decided to push out an update to disable AutoRun in its XP operating system, a Windows feature that had been increasingly exploited by virus writers over the years. But because Microsoft still sees AutoRun as a feature and not a security hole, it isn't calling its Windows Update a "security update" but rather an "Important, non-security update" — but it effectively disables the AutoRun feature anyway."

XP now more secure than Linux?

After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!

Re:XP now more secure than Linux?

[MrEricSir]

As long as you never run IE, don't connect your computer to the internet, and never insert external media, then YES!

Re:XP now more secure than Linux?

[0123456]

After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!

The 'autorun on Linux scare' appears to be primarily due to automatically displaying thumbnails of corrupted files which exploit holes in image and video rendering libraries; so Windows is at least as insecure. Windows was far more insecure when it would also happily load a DLL from the USB drive in order to perform that rendering because '.' was first in the DLL search path.

Plus Ubuntu, at least, now seem to be wrapping the thumbnail generators in Apparmor which makes it far more difficult to exploit.

Re:XP now more secure than Linux?

[hairyfeet]

Well that and the fact that there are some seriously stupid users on Windows. Believe me I knowshe opened and ran a password protected zip file with me sitting right exactly there and telling her "What are you doing? Don't open that! It's a virus!" and I got "Its from my BFF Kim, and she wouldn't do that! Stop being so paranoid." and then promptly infected the living hell out of her machine.

So Linux guys, be happy where you are. Drop to your knees and thank RMS that Linux is still CLI heavy in Ubuntu if anything goes wrong, and the whole Linux setup seems "too hard" for the average Windows user. Be glad, oh dear Lord be glad. Because if you ever manage to lure them over the malware writers will be right behind them and your pretty OS will be turned into a giant festering turd. because users like that will happily run "Happy_Puppy.sh" or "Hot_Porn.py" and follow the nice instructions the virus writers hand them.

Hell you can write a Linux virus in 5 easy steps just by using the social engineering that I see every damned day on Windows. With those kinds of users all the fancy security in the world is worthless, because they are more than happy to follow instructions if they think they get a goodie at the end...shudder...

So while I'm glad that MSFT killed autorun frankly I can't remember the last time I saw it used as an attack vector on a PC I had to work on. Nowadays it is usually the "ZOMG! U got teh Viruz! Run this "Viruzkillz.exe" to kill it!!!" Or the classic "Having trouble viewing the free porn? Just run the "Supercodec.exe" to get all the free action right now!!!". Man they fall for those two every time..

Re:XP now more secure than Linux?

[Neil+Boekend]

Servers don't have users who think "oo puppies" and open an executable file conveniently named "dancing_puppies" (add the correct extension) and disables the virusscanner and firewall if it starts to complain. "Shut up firewall, I want to see the puppies!". People even disabled the rights escalation (UAC) in Vista and 7. "I don't want to see another warning when I install stuff, just install it".There may be more security holes in windows, but the biggest hole is the user.
Replace puppies with naked women for male users.

Option?

[silentphate]

Would be nice to have the option to enable/disable the feature..

Re:Option?

[BradleyUffner]

Would be nice to have the option to enable/disable the feature..

It has been an option for as long as I can remember. It used to be one of the first things I turned off after a new install, right after I turned on the display of File Extensions.

Re:Option?

[stonewallred]

One of the most annoying things about Windows. Hiding the file extension by default.

Re:Option?

[kindbud]

Hiding the filename extension is not a virus vector. Having the OS assume a file is just the type that the name says it is, is the vector whether the extension is hidden or not. Granting execute permissions based on its name rather than its permissions, is a virus vector. Assuming a jpg file is a image format and passing it unchecked to a thumbnail rendering subsystem is a vector, not hiding the jpg extension.

You can hide file extensions in Linux file managers. MacOS hides file extensions. Files with hidden extension are not going to be a vector for you or for Mac users on account of the hidden extension. They don't work that way.

Re:Option?

[Hooya]

A file name lolcat.jpg.exe is a mighty tempting thing to double click on. Granted, the user is the vector. But then, the OS is not helping by making it easy to dupe people into thinking a file is an image vs an exe.

even if the OS fingerprinted the file instead of relying on the extension, the above scenario doesn't change. the file contents never lied about what the file was. the name was just mis-represented and the OS helped dupe the user into thinking it was an image.

Re:Option?

[QuantumG]

Sigh. On a Mac, my drunken bigoted friend, a Mach-O file renamed to foo.jpg will happily run *because* the operating system dives into the file format to figure out how to run it. If I embed the appropriate icon resource in the file it'll even look like your default image viewer is going to open it, and if I subsequently start that image viewer once I've got control you'll never know it wasn't.

That's the security flaw: you can make an icon look to the user like it will only open up the image viewer, when actually arbitrary code will be executed.

Without file extensions being hidden you see foo.jpg.exe and say "that's an exe, I'm not going to run that", even if it has a friendly jpg icon embedded in it.

Re:Option?

[exomondo]

A file name lolcat.jpg.exe is a mighty tempting thing to double click on. Granted, the user is the vector. But then, the OS is not helping by making it easy to dupe people into thinking a file is an image vs an exe.

If, when UAC pops up to tell the user that the *program* lolcat.jpg.exe is about to make changes to the system, the user still clicks allow/yes/whatever then there's really not much more you can do.

Re:Option?

[TheLink]

AFAIK if you download that mach-o file from a website the resulting downloaded file will not be set to executable automatically, and the "victim" cannot run it.

The victim will have to do the equivalent of chmod +x on it first.

On the other hand if you create an appropriate disk image file and set the mimetype to application/x-apple-diskimage OSX will mount the disk automatically. And if you put the right things in that disk image (like a package), OSX will start the OSX "Installer" to install it.

Depending on the situation or what the user does it may even run some "preinstall" or "installation check" scripts you supply with that package.

Re:Option?

[Lord+Bitman]

I could have sworn the problem there was that "open with default viewer" was activated with the same action as "allow this program to do anything it wants to with my files"

Re:Option?

[hairyfeet]

Or you can have it pretty butt simple (and free to boot!) by just giving your family/customers Comodo AV which by default runs everything in a sandbox unless you tell it not to. Makes it real easy to deal with those that are "clicky clicky" happy and since it has a whitelist of "known clean after scanning" Windows system files it doesn't interfere with things like Windows Update.

So if anybody here has friends/family or customers that get infected waaay too often, give Comodo AV a try. It is free, easy to install, its default are sensible and err on the side of caution, and so far none of my users have gotten a single bug in over a year since I switched them to it, and these folks could get more viruses than a Bangkok Whore, so that is saying something!

Should have never been there.

[olsmeister]

If you do not know how to start a piece of software running, or cannot follow some simple directions to do so, you really have no business using a computer in the first place.

Re:Should have never been there.

[haruchai]

You've never worked a helpdesk, have you?

Re:Should have never been there.

[dnaumov]

For as long as stupid people will continue to have money, computers and operating systems will be made (and sold) to accomodate such people. That's just the way it is.

Re:Should have never been there.

[sharkey]

Too true. How hard is LOAD AUTORUN.EXE,8,1 anyway?

Re:Should have never been there.

[LordNimon]

Betty Crocker has a FAQ on all the ways you can screw up cooking Hamburger Helper. Would you say the people who need the help have no business eating?

No, I would say they have no business cooking.

Re:Should have never been there.

[Junior+J.+Junior+III]

I'd wager he has.

Re:Should have never been there.

This is not a commentary on autorun. This is a commentary on a vendor's piss-poor software quality. If the software could not be invoked any way other than autorun, then the vendor, and not Microsoft, is to blame.

Re:Should have never been there.

[nabsltd]

True in general, but some Windows installation disks do more than just run setup.exe on startup and instead have rather involved scripts in autorun.inf. I had a driver/utility CD for an NAS device that created a menu of the manufacturer's different models via autorun and could not be invoked any other way

There is no scripting in AUTORUN.INF...it's really just a very simple INI file. The only thing that could be considered a "script" is the ability to run different programs based on the machine architecture and OS version (controlled by square-bracketed INI section heading tags).

If you trust a disc, you can just open the AUTORUN.INF file with a text editor and copy what is to the right of "open=" and paste it into the start menu run box and it will do exactly what would have happened if autorun was enabled.

Re:Should have never been there.

[shentino]

If you're not a mechanic you have no business driving a car.

Re:Should have never been there.

[Sulphur]

If you're not a mechanic you have no business driving a car.

Obligatory car analogy:

Imagine a car without an ignition key or similar; a kid might touch something and make it start.

Removing a feature? That I PAID for?

[nebaz]

Man, this is just like Sony removing the "Other OS" feature from the PS3. I PAID for Windows XP because of the Auto-Run feature, as I'm sure many others have as well. This is a clear case of bait-and-switch deceptive marketing practicing. I wonder if a legal case could be made...

What about AutoPlay?

[paultwang]

When I insert a USB stick, Windows XP opens an AutoPlay window asking me what action to take. If the autorun.inf file is found, the default choice in the AutoPlay window is to run whatever is in autorun.inf. What now? Does XP completely ignore autorun.inf with this update?

Re:What about AutoPlay?

[The+MAZZTer]

According to the MS article thing on it, that won't happen anymore. Autorun only happens for CD/DVD discs now. In fact this update SPECIFICALLY targets thumb drives for disabling autorun (though it affects all non-disc drives).

Sony will be annoyed

[Ynot_82]

Their CD rootkits won't run automatically

Bet you there's a super-secret way to re-enable autorun on a specific medium for just such reasons
(which will be discovered and exploited by malware writers)

Re:Sony will be annoyed

[Centurix]

Wonder if they've disabled the fetching of custom icon files from the drive as you insert it. Nice place to find buffer overflows.

Re:Sony will be annoyed

[ILuvRamen]

actually the update, which I just downloaded, states in the summary that it disables autorun for all devices except CD and DVD drives. At least it'll kill USB drive viruses and the even worse autolaunching U3 crapware on some USB drives lol.

Re:Sony will be annoyed

[woolpert]

At least it'll kill USB drive viruses and the even worse autolaunching U3 crapware on some USB drives lol.

Nope. U3 "crapware" works because a U3 flash drive mounts with two USB endpoints, one of them identifying itself as a CD drive. All the autorun "magic" of U3 happens from the CD-ROM endpoint.

Still available for CDs and DVDs.

[Kippesoep]

This is only for things like USB sticks etc. It's not like every CD-ROM that John W. Clueless has ever bought is suddenly going to stop auto-running. From the original source:

...so this update does not turn off the feature entirely. For example, it does not impact "shiny media" such as CDs or DVDs that contain Autorun files.

I for one think this is a sensible thing to do.

Knowledge Base references

This is an update to KB967940, regarding the patch offered in KB971029 going to automatic updates.

I had to look up the numbers, so I thought I'd just share, and save anyone else the trouble.

Re:Knowledge Base references

[initialE]

Someone needs to mod this up. Anyway another interesting link: http://blogs.technet.com/b/msrc/archive/2011/02/08/deeper-insight-into-the-security-advisory-967940-update.aspx

Re:Knowledge Base references

[initialE]

Hate to reply to myself, but this http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx needs a read too. It plots the relationship between autorun and malware. Interesting how Microsoft still considers this a "non-security related update", as autorun has been an easy vector with which to poison your windows installation. Important to note that autorun will still work as expected on CD and DVD media, meaning Sony Rootkits are still going to be installed on your computer.

Re:not the same thing this is just takeing away a

Whoosh.

Re:How does autorun get you a virus?

[pz]

Or an infected CD-ROM or DVD, etc. Or the infected ISO you downloaded and mounted as a drive. Or the network drive that was just mounted. Or your MP3 player mounted in UMS mode. Or an infected external drive. Or a CF or SD/SDHC card mounted through a USB adapter. Or ...

You get the picture. Auto-Run was a bad idea. I'm glad they disabled it.

7 and Vista still vulnerable

[KiloByte]

Interesting that this bugfix was released only for XP. In 7, there's a dialog, but autorun.inf can show anything there, so most users will be just as easily fooled.

Re:7 and Vista still vulnerable

[Tacvek]

The exact set of changes being offered here were a part of Windows 7 from day one. Windows 7 completely ignores the "Open=" entires in any autorun.inf file except for those loaded in devices that claim to be optical media. (So CDs and DVDs will still show the autorun option in the autoplay menu, as will U3 style flash drives, etc)

This is just a patch to older systems to include the same behavior.

Re:7 and Vista still vulnerable

[Manip]

This patch turns XP's autorun into the Windows Vista/7 version. The dialog will appear. Right now on XP programs will launch without any user interaction at all...

AutoRun was always broken

[scdeimos]

Given that PKI (Public Key Infrastructure) has been around longer than Internet Explorer, I could never understand why autorun.inf files weren't signed. Didn't Microsoft learn from all the problems induced by autorun-like behaviours on Amiga and Macintosh?

Up until about MacOS 8 (I think) the Finder used to automatically execute .CODE resources in files on disk/HDD/CD whenever a new disc came online which is how most Mac viruses got propagated.

Re:AutoRun was always broken

As the inventor of AutoRun (Microsoft even contacted me for prior art when they were sued over it) it saddens me to have it killed off like this.

The original autorunner on the Amiga had a UI element to easily toggle it on/off for a drive, which is about as secure as trusting users not to just click on spyware.exe anyway. You can't protect users from running spyware if they are careless, but you can make it easy for them to control the behavior. Instead Microsoft buried the controls and made it next to impossible to turn off for a particular disk... I think you could disable it by holding shift, or alt, or control, or something. Nobody can remember that and there's no indication that it's working.

Back in the days of swapping actual disks because there was no HD or it was tiny autorun was an awesome tool, and it's still a nice convenience for users to install drivers, etc. It didn't need to be such a security problem like it was on Windows.

Re:AutoRun was always broken

[Pentium100]

Autorun made some sense when it worked only on CD-ROM disks, though sometimes it still was annoying (start a game, the game asks for the CD, insert the CD and the installer starts - this on slow PCs with little memory and slow CD drives). It did not work on floppies, so maybe someone saw that it would be bad. When USB flash drives replaced floppies in every day use it was only a matter of time before virus writers took advantage of Autorun.

Re:AutoRun was always broken

[rallymatte]

Sounds nice, but a little bit nostalgic to me.
Suppose you do mention that it was an awesome tool and that it's only nice at best these days, but I say, get rid of it. No need really. Pop up a window with the disk, disk image or whatever it might be and let the user decide what to do.
Works rather well on my mac, it even works really well for my dad now that he's gone over to Mac, and I assure you, he's not that technical.

This was a needful thing.

[symbolset]

Will nobody else say it? Ok, I'll say it without inserting some criticism about the timing, the need for this change, or whatever.

This needed to be done. The patch needed to be the default. The patch is here and it provides an improvement on the Windows experience not only for the Windows users, but for those of us who share an Internet with them.

So thank you, Microsoft, for doing the right thing.

Re:Funny

[bky1701]

One might even suggest it wasn't a coincidence, but that would be absurd!

non-security updates don't always auto-update

[Culture20]

non-security updates don't always auto-update. This will remain an attack vector until they declare it a security update.

Re:Removing a feature? That I PAID for?

[tomhudson]

Trolling? Window update is NOT mandatory. You can choose not to install a specific fix and then it will not prompt you for it in the future. It's not like PS3, where you have to update to play online.

Hmmmm.... Seems you must be unable to recognize sarcasm. And here I thought I was humorless. ;)

[sarcasm] He has auto-sarcasm turned of, you insensitive clod! [/sarcasm]

Re:Removing a feature? That I PAID for?

[Belial6]

Autorun is not a bad idea. It has just been badly implemented. MS obviously found it easier to just disable it than to make it secure.

Re:How does autorun get you a virus?

[Belial6]

Autorun as not a bad idea. It was a very good idea that was badly implemented. For any media, there is no reason that the autorun needed to run an executable. It could have very easily have used an OS supplied splash screen that used an ini to supply text, a graphic and a few launch buttons. That is all most autoruns do anyway. By using the OS's executable, it would have made it as secure as any other application that could display a graphic and text. Since IE was in the OS and could do both, the OS supplied autolauncher would not make the system any less secure than not having it at all. For writable media, the OS should let you generate an encrypted key that gets written to the media authorizing it to autolaunch an actual executable.

Re:Shouldn't be necessary

[Zomalaja]

Don't post as AC, get a nickname. Maybe something with "pompous" in it is available.

When do the fix the bigger hole in ALL OS's?

[Lumpy]

Remove the "hide file extension" stupidity that makes it easy for trojans to get ran.

Honestly, the manager that green-lighted that feature and continues to make it exist in the OS needs to be fired, tarred, feathered, and then put in stockades so the rest of us can do what we want to him.

Re:Shouldn't be necessary

[Lumpy]

You sir are what we call in the IT world as a....

N00B.

Please come back when you actually know something about computers.

While they're at it...

[ProfanityHead]

They need to also by default show file extensions in explorer.

Stupid question

[spitzak]

Although everybody keeps saying that it will display "MyPhoto.jpg.exe" as "MyPhoto.jpg" and thus mislead people, while I certainly admit it is quite likely, I am confused why the MS defenders don't point out that it should not confuse people because a real "MyPhoto.jpg" would display as "MyPhoto" and thus be different than the bogus file.

Can somebody explain this?

If in fact it deletes the entire ".jpg.exe" it would explain confusion, but then it means MS is using different rules in different parts of the code (ie it uses only the ".exe" rather than ".jpg.exe" to figure out what to do) which I think is far stupider than I believe even they would have done in the dark ages of 1990 or whenever they started this...