Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Kills AutoRun In Windows

Posted by samzenpus on from the so-long-farewell-aufedersein-goodbys dept.

aesoteric writes "Microsoft has finally decided to push out an update to disable AutoRun in its XP operating system, a Windows feature that had been increasingly exploited by virus writers over the years. But because Microsoft still sees AutoRun as a feature and not a security hole, it isn't calling its Windows Update a "security update" but rather an "Important, non-security update" — but it effectively disables the AutoRun feature anyway."

24 of 340 comments (clear)

  1. Should have never been there. by olsmeister · · Score: 4, Insightful

    If you do not know how to start a piece of software running, or cannot follow some simple directions to do so, you really have no business using a computer in the first place.

    1. Re:Should have never been there. by haruchai · · Score: 5, Insightful

      You've never worked a helpdesk, have you?

      --
      Pain is merely failure leaving the body
    2. Re:Should have never been there. by LordNimon · · Score: 5, Insightful

      Betty Crocker has a FAQ on all the ways you can screw up cooking Hamburger Helper. Would you say the people who need the help have no business eating?

      No, I would say they have no business cooking.

      --
      And the men who hold high places must be the ones who start
      To mold a new reality... closer to the heart
    3. Re:Should have never been there. by Junior+J.+Junior+III · · Score: 4, Insightful

      I'd wager he has.

      --
      You see? You see? Your stupid minds! Stupid! Stupid!
  2. Removing a feature? That I PAID for? by nebaz · · Score: 4, Funny

    Man, this is just like Sony removing the "Other OS" feature from the PS3. I PAID for Windows XP because of the Auto-Run feature, as I'm sure many others have as well. This is a clear case of bait-and-switch deceptive marketing practicing. I wonder if a legal case could be made...

    --
    Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
  3. Re:XP now more secure than Linux? by MrEricSir · · Score: 4, Funny

    As long as you never run IE, don't connect your computer to the internet, and never insert external media, then YES!

    --
    There's no -1 for "I don't get it."
  4. Re:Option? by BradleyUffner · · Score: 5, Informative

    Would be nice to have the option to enable/disable the feature..

    It has been an option for as long as I can remember. It used to be one of the first things I turned off after a new install, right after I turned on the display of File Extensions.

  5. Sony will be annoyed by Ynot_82 · · Score: 4, Funny

    Their CD rootkits won't run automatically

    Bet you there's a super-secret way to re-enable autorun on a specific medium for just such reasons
    (which will be discovered and exploited by malware writers)

    1. Re:Sony will be annoyed by ILuvRamen · · Score: 4, Informative

      actually the update, which I just downloaded, states in the summary that it disables autorun for all devices except CD and DVD drives. At least it'll kill USB drive viruses and the even worse autolaunching U3 crapware on some USB drives lol.

      --
      Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
  6. Re:What about AutoPlay? by The+MAZZTer · · Score: 4, Informative

    According to the MS article thing on it, that won't happen anymore. Autorun only happens for CD/DVD discs now. In fact this update SPECIFICALLY targets thumb drives for disabling autorun (though it affects all non-disc drives).

  7. Knowledge Base references by Anonymous Coward · · Score: 5, Informative

    This is an update to KB967940, regarding the patch offered in KB971029 going to automatic updates.

    I had to look up the numbers, so I thought I'd just share, and save anyone else the trouble.

    1. Re:Knowledge Base references by initialE · · Score: 5, Informative

      Hate to reply to myself, but this http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx needs a read too. It plots the relationship between autorun and malware. Interesting how Microsoft still considers this a "non-security related update", as autorun has been an easy vector with which to poison your windows installation. Important to note that autorun will still work as expected on CD and DVD media, meaning Sony Rootkits are still going to be installed on your computer.

      --
      Starbucks, Harbuckle of Breath.
  8. Re:Option? by stonewallred · · Score: 4, Insightful

    One of the most annoying things about Windows. Hiding the file extension by default.

  9. Re:not the same thing this is just takeing away a by Anonymous Coward · · Score: 5, Informative

    Whoosh.

  10. Re:How does autorun get you a virus? by pz · · Score: 4, Insightful

    Or an infected CD-ROM or DVD, etc. Or the infected ISO you downloaded and mounted as a drive. Or the network drive that was just mounted. Or your MP3 player mounted in UMS mode. Or an infected external drive. Or a CF or SD/SDHC card mounted through a USB adapter. Or ...

    You get the picture. Auto-Run was a bad idea. I'm glad they disabled it.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
  11. AutoRun was always broken by scdeimos · · Score: 5, Insightful

    Given that PKI (Public Key Infrastructure) has been around longer than Internet Explorer, I could never understand why autorun.inf files weren't signed. Didn't Microsoft learn from all the problems induced by autorun-like behaviours on Amiga and Macintosh?

    Up until about MacOS 8 (I think) the Finder used to automatically execute .CODE resources in files on disk/HDD/CD whenever a new disc came online which is how most Mac viruses got propagated.

    1. Re:AutoRun was always broken by Anonymous Coward · · Score: 5, Interesting

      As the inventor of AutoRun (Microsoft even contacted me for prior art when they were sued over it) it saddens me to have it killed off like this.

      The original autorunner on the Amiga had a UI element to easily toggle it on/off for a drive, which is about as secure as trusting users not to just click on spyware.exe anyway. You can't protect users from running spyware if they are careless, but you can make it easy for them to control the behavior. Instead Microsoft buried the controls and made it next to impossible to turn off for a particular disk... I think you could disable it by holding shift, or alt, or control, or something. Nobody can remember that and there's no indication that it's working.

      Back in the days of swapping actual disks because there was no HD or it was tiny autorun was an awesome tool, and it's still a nice convenience for users to install drivers, etc. It didn't need to be such a security problem like it was on Windows.

  12. Re:Option? by Hooya · · Score: 4, Insightful

    A file name lolcat.jpg.exe is a mighty tempting thing to double click on. Granted, the user is the vector. But then, the OS is not helping by making it easy to dupe people into thinking a file is an image vs an exe.

    even if the OS fingerprinted the file instead of relying on the extension, the above scenario doesn't change. the file contents never lied about what the file was. the name was just mis-represented and the OS helped dupe the user into thinking it was an image.

  13. Re:Option? by QuantumG · · Score: 4, Informative

    Sigh. On a Mac, my drunken bigoted friend, a Mach-O file renamed to foo.jpg will happily run *because* the operating system dives into the file format to figure out how to run it. If I embed the appropriate icon resource in the file it'll even look like your default image viewer is going to open it, and if I subsequently start that image viewer once I've got control you'll never know it wasn't.

    That's the security flaw: you can make an icon look to the user like it will only open up the image viewer, when actually arbitrary code will be executed.

    Without file extensions being hidden you see foo.jpg.exe and say "that's an exe, I'm not going to run that", even if it has a friendly jpg icon embedded in it.

    --
    How we know is more important than what we know.
  14. Re:XP now more secure than Linux? by 0123456 · · Score: 4, Informative

    After the recent AutoRun on Linux scare, will this mean patched XP boxes are more secure than Linux? The mind BOGGLES!

    The 'autorun on Linux scare' appears to be primarily due to automatically displaying thumbnails of corrupted files which exploit holes in image and video rendering libraries; so Windows is at least as insecure. Windows was far more insecure when it would also happily load a DLL from the USB drive in order to perform that rendering because '.' was first in the DLL search path.

    Plus Ubuntu, at least, now seem to be wrapping the thumbnail generators in Apparmor which makes it far more difficult to exploit.

  15. Re:Option? by exomondo · · Score: 4, Interesting

    A file name lolcat.jpg.exe is a mighty tempting thing to double click on. Granted, the user is the vector. But then, the OS is not helping by making it easy to dupe people into thinking a file is an image vs an exe.

    If, when UAC pops up to tell the user that the *program* lolcat.jpg.exe is about to make changes to the system, the user still clicks allow/yes/whatever then there's really not much more you can do.

  16. Re:Removing a feature? That I PAID for? by tomhudson · · Score: 4, Funny

    Trolling? Window update is NOT mandatory. You can choose not to install a specific fix and then it will not prompt you for it in the future. It's not like PS3, where you have to update to play online.

    Hmmmm.... Seems you must be unable to recognize sarcasm. And here I thought I was humorless. ;)

    [sarcasm] He has auto-sarcasm turned of, you insensitive clod! [/sarcasm]

  17. Re:Option? by TheLink · · Score: 4, Informative

    AFAIK if you download that mach-o file from a website the resulting downloaded file will not be set to executable automatically, and the "victim" cannot run it.

    The victim will have to do the equivalent of chmod +x on it first.

    On the other hand if you create an appropriate disk image file and set the mimetype to application/x-apple-diskimage OSX will mount the disk automatically. And if you put the right things in that disk image (like a package), OSX will start the OSX "Installer" to install it.

    Depending on the situation or what the user does it may even run some "preinstall" or "installation check" scripts you supply with that package.

    --
  18. Re:7 and Vista still vulnerable by Manip · · Score: 4, Informative

    This patch turns XP's autorun into the Windows Vista/7 version. The dialog will appear. Right now on XP programs will launch without any user interaction at all...