Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Kills AutoRun In Windows

Posted by samzenpus on from the so-long-farewell-aufedersein-goodbys dept.

aesoteric writes "Microsoft has finally decided to push out an update to disable AutoRun in its XP operating system, a Windows feature that had been increasingly exploited by virus writers over the years. But because Microsoft still sees AutoRun as a feature and not a security hole, it isn't calling its Windows Update a "security update" but rather an "Important, non-security update" — but it effectively disables the AutoRun feature anyway."

36 of 340 comments (clear)

  1. Should have never been there. by olsmeister · · Score: 4, Insightful

    If you do not know how to start a piece of software running, or cannot follow some simple directions to do so, you really have no business using a computer in the first place.

    1. Re:Should have never been there. by haruchai · · Score: 5, Insightful

      You've never worked a helpdesk, have you?

      --
      Pain is merely failure leaving the body
    2. Re:Should have never been there. by dnaumov · · Score: 3, Insightful

      For as long as stupid people will continue to have money, computers and operating systems will be made (and sold) to accomodate such people. That's just the way it is.

    3. Re:Should have never been there. by LordNimon · · Score: 5, Insightful

      Betty Crocker has a FAQ on all the ways you can screw up cooking Hamburger Helper. Would you say the people who need the help have no business eating?

      No, I would say they have no business cooking.

      --
      And the men who hold high places must be the ones who start
      To mold a new reality... closer to the heart
    4. Re:Should have never been there. by Junior+J.+Junior+III · · Score: 4, Insightful

      I'd wager he has.

      --
      You see? You see? Your stupid minds! Stupid! Stupid!
    5. Re:Should have never been there. by Anonymous Coward · · Score: 3, Interesting

      This is not a commentary on autorun. This is a commentary on a vendor's piss-poor software quality. If the software could not be invoked any way other than autorun, then the vendor, and not Microsoft, is to blame.

    6. Re:Should have never been there. by nabsltd · · Score: 3, Informative

      True in general, but some Windows installation disks do more than just run setup.exe on startup and instead have rather involved scripts in autorun.inf. I had a driver/utility CD for an NAS device that created a menu of the manufacturer's different models via autorun and could not be invoked any other way

      There is no scripting in AUTORUN.INF...it's really just a very simple INI file. The only thing that could be considered a "script" is the ability to run different programs based on the machine architecture and OS version (controlled by square-bracketed INI section heading tags).

      If you trust a disc, you can just open the AUTORUN.INF file with a text editor and copy what is to the right of "open=" and paste it into the start menu run box and it will do exactly what would have happened if autorun was enabled.

  2. Removing a feature? That I PAID for? by nebaz · · Score: 4, Funny

    Man, this is just like Sony removing the "Other OS" feature from the PS3. I PAID for Windows XP because of the Auto-Run feature, as I'm sure many others have as well. This is a clear case of bait-and-switch deceptive marketing practicing. I wonder if a legal case could be made...

    --
    Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
  3. Re:XP now more secure than Linux? by MrEricSir · · Score: 4, Funny

    As long as you never run IE, don't connect your computer to the internet, and never insert external media, then YES!

    --
    There's no -1 for "I don't get it."
  4. Re:Option? by BradleyUffner · · Score: 5, Informative

    Would be nice to have the option to enable/disable the feature..

    It has been an option for as long as I can remember. It used to be one of the first things I turned off after a new install, right after I turned on the display of File Extensions.

  5. Sony will be annoyed by Ynot_82 · · Score: 4, Funny

    Their CD rootkits won't run automatically

    Bet you there's a super-secret way to re-enable autorun on a specific medium for just such reasons
    (which will be discovered and exploited by malware writers)

    1. Re:Sony will be annoyed by Centurix · · Score: 3, Interesting

      Wonder if they've disabled the fetching of custom icon files from the drive as you insert it. Nice place to find buffer overflows.

      --
      Task Mangler
    2. Re:Sony will be annoyed by ILuvRamen · · Score: 4, Informative

      actually the update, which I just downloaded, states in the summary that it disables autorun for all devices except CD and DVD drives. At least it'll kill USB drive viruses and the even worse autolaunching U3 crapware on some USB drives lol.

      --
      Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
  6. Re:What about AutoPlay? by The+MAZZTer · · Score: 4, Informative

    According to the MS article thing on it, that won't happen anymore. Autorun only happens for CD/DVD discs now. In fact this update SPECIFICALLY targets thumb drives for disabling autorun (though it affects all non-disc drives).

  7. Knowledge Base references by Anonymous Coward · · Score: 5, Informative

    This is an update to KB967940, regarding the patch offered in KB971029 going to automatic updates.

    I had to look up the numbers, so I thought I'd just share, and save anyone else the trouble.

    1. Re:Knowledge Base references by initialE · · Score: 3, Informative

      Someone needs to mod this up. Anyway another interesting link: http://blogs.technet.com/b/msrc/archive/2011/02/08/deeper-insight-into-the-security-advisory-967940-update.aspx

      --
      Starbucks, Harbuckle of Breath.
    2. Re:Knowledge Base references by initialE · · Score: 5, Informative

      Hate to reply to myself, but this http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx needs a read too. It plots the relationship between autorun and malware. Interesting how Microsoft still considers this a "non-security related update", as autorun has been an easy vector with which to poison your windows installation. Important to note that autorun will still work as expected on CD and DVD media, meaning Sony Rootkits are still going to be installed on your computer.

      --
      Starbucks, Harbuckle of Breath.
  8. Re:Option? by stonewallred · · Score: 4, Insightful

    One of the most annoying things about Windows. Hiding the file extension by default.

  9. Re:not the same thing this is just takeing away a by Anonymous Coward · · Score: 5, Informative

    Whoosh.

  10. Re:How does autorun get you a virus? by pz · · Score: 4, Insightful

    Or an infected CD-ROM or DVD, etc. Or the infected ISO you downloaded and mounted as a drive. Or the network drive that was just mounted. Or your MP3 player mounted in UMS mode. Or an infected external drive. Or a CF or SD/SDHC card mounted through a USB adapter. Or ...

    You get the picture. Auto-Run was a bad idea. I'm glad they disabled it.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
  11. 7 and Vista still vulnerable by KiloByte · · Score: 3, Informative

    Interesting that this bugfix was released only for XP. In 7, there's a dialog, but autorun.inf can show anything there, so most users will be just as easily fooled.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:7 and Vista still vulnerable by Tacvek · · Score: 3, Insightful

      The exact set of changes being offered here were a part of Windows 7 from day one. Windows 7 completely ignores the "Open=" entires in any autorun.inf file except for those loaded in devices that claim to be optical media. (So CDs and DVDs will still show the autorun option in the autoplay menu, as will U3 style flash drives, etc)

      This is just a patch to older systems to include the same behavior.

      --
      Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
    2. Re:7 and Vista still vulnerable by Manip · · Score: 4, Informative

      This patch turns XP's autorun into the Windows Vista/7 version. The dialog will appear. Right now on XP programs will launch without any user interaction at all...

  12. AutoRun was always broken by scdeimos · · Score: 5, Insightful

    Given that PKI (Public Key Infrastructure) has been around longer than Internet Explorer, I could never understand why autorun.inf files weren't signed. Didn't Microsoft learn from all the problems induced by autorun-like behaviours on Amiga and Macintosh?

    Up until about MacOS 8 (I think) the Finder used to automatically execute .CODE resources in files on disk/HDD/CD whenever a new disc came online which is how most Mac viruses got propagated.

    1. Re:AutoRun was always broken by Anonymous Coward · · Score: 5, Interesting

      As the inventor of AutoRun (Microsoft even contacted me for prior art when they were sued over it) it saddens me to have it killed off like this.

      The original autorunner on the Amiga had a UI element to easily toggle it on/off for a drive, which is about as secure as trusting users not to just click on spyware.exe anyway. You can't protect users from running spyware if they are careless, but you can make it easy for them to control the behavior. Instead Microsoft buried the controls and made it next to impossible to turn off for a particular disk... I think you could disable it by holding shift, or alt, or control, or something. Nobody can remember that and there's no indication that it's working.

      Back in the days of swapping actual disks because there was no HD or it was tiny autorun was an awesome tool, and it's still a nice convenience for users to install drivers, etc. It didn't need to be such a security problem like it was on Windows.

    2. Re:AutoRun was always broken by Pentium100 · · Score: 3, Interesting

      Autorun made some sense when it worked only on CD-ROM disks, though sometimes it still was annoying (start a game, the game asks for the CD, insert the CD and the installer starts - this on slow PCs with little memory and slow CD drives). It did not work on floppies, so maybe someone saw that it would be bad. When USB flash drives replaced floppies in every day use it was only a matter of time before virus writers took advantage of Autorun.

  13. Re:Option? by kindbud · · Score: 3, Insightful

    Hiding the filename extension is not a virus vector. Having the OS assume a file is just the type that the name says it is, is the vector whether the extension is hidden or not. Granting execute permissions based on its name rather than its permissions, is a virus vector. Assuming a jpg file is a image format and passing it unchecked to a thumbnail rendering subsystem is a vector, not hiding the jpg extension.

    You can hide file extensions in Linux file managers. MacOS hides file extensions. Files with hidden extension are not going to be a vector for you or for Mac users on account of the hidden extension. They don't work that way.

    --
    Edith Keeler Must Die
  14. Re:Option? by Hooya · · Score: 4, Insightful

    A file name lolcat.jpg.exe is a mighty tempting thing to double click on. Granted, the user is the vector. But then, the OS is not helping by making it easy to dupe people into thinking a file is an image vs an exe.

    even if the OS fingerprinted the file instead of relying on the extension, the above scenario doesn't change. the file contents never lied about what the file was. the name was just mis-represented and the OS helped dupe the user into thinking it was an image.

  15. Re:Option? by QuantumG · · Score: 4, Informative

    Sigh. On a Mac, my drunken bigoted friend, a Mach-O file renamed to foo.jpg will happily run *because* the operating system dives into the file format to figure out how to run it. If I embed the appropriate icon resource in the file it'll even look like your default image viewer is going to open it, and if I subsequently start that image viewer once I've got control you'll never know it wasn't.

    That's the security flaw: you can make an icon look to the user like it will only open up the image viewer, when actually arbitrary code will be executed.

    Without file extensions being hidden you see foo.jpg.exe and say "that's an exe, I'm not going to run that", even if it has a friendly jpg icon embedded in it.

    --
    How we know is more important than what we know.
  16. This was a needful thing. by symbolset · · Score: 3, Funny

    Will nobody else say it? Ok, I'll say it without inserting some criticism about the timing, the need for this change, or whatever.

    This needed to be done. The patch needed to be the default. The patch is here and it provides an improvement on the Windows experience not only for the Windows users, but for those of us who share an Internet with them.

    So thank you, Microsoft, for doing the right thing.

    --
    Help stamp out iliturcy.
  17. Re:XP now more secure than Linux? by 0123456 · · Score: 4, Informative

    After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!

    The 'autorun on Linux scare' appears to be primarily due to automatically displaying thumbnails of corrupted files which exploit holes in image and video rendering libraries; so Windows is at least as insecure. Windows was far more insecure when it would also happily load a DLL from the USB drive in order to perform that rendering because '.' was first in the DLL search path.

    Plus Ubuntu, at least, now seem to be wrapping the thumbnail generators in Apparmor which makes it far more difficult to exploit.

  18. Re:Option? by exomondo · · Score: 4, Interesting

    A file name lolcat.jpg.exe is a mighty tempting thing to double click on. Granted, the user is the vector. But then, the OS is not helping by making it easy to dupe people into thinking a file is an image vs an exe.

    If, when UAC pops up to tell the user that the *program* lolcat.jpg.exe is about to make changes to the system, the user still clicks allow/yes/whatever then there's really not much more you can do.

  19. non-security updates don't always auto-update by Culture20 · · Score: 3, Informative

    non-security updates don't always auto-update. This will remain an attack vector until they declare it a security update.

  20. Re:Removing a feature? That I PAID for? by tomhudson · · Score: 4, Funny

    Trolling? Window update is NOT mandatory. You can choose not to install a specific fix and then it will not prompt you for it in the future. It's not like PS3, where you have to update to play online.

    Hmmmm.... Seems you must be unable to recognize sarcasm. And here I thought I was humorless. ;)

    [sarcasm] He has auto-sarcasm turned of, you insensitive clod! [/sarcasm]

  21. Re:Removing a feature? That I PAID for? by Belial6 · · Score: 3, Insightful

    Autorun is not a bad idea. It has just been badly implemented. MS obviously found it easier to just disable it than to make it secure.

  22. Re:Option? by TheLink · · Score: 4, Informative

    AFAIK if you download that mach-o file from a website the resulting downloaded file will not be set to executable automatically, and the "victim" cannot run it.

    The victim will have to do the equivalent of chmod +x on it first.

    On the other hand if you create an appropriate disk image file and set the mimetype to application/x-apple-diskimage OSX will mount the disk automatically. And if you put the right things in that disk image (like a package), OSX will start the OSX "Installer" to install it.

    Depending on the situation or what the user does it may even run some "preinstall" or "installation check" scripts you supply with that package.

    --