Microsoft To Disable Autorun

jchrisos writes "Microsoft is planning to disable autorun in the next Release Candidate of Windows 7 and future updates to Windows XP and Vista. In order to maintain a 'balance between security and usability,' non-writable media will maintain its current behavior however. In any case, if it means no more autorun on flash drives, removable hard drives and network shares, that is definitely a step in the right direction. Will be interesting to see what malware creators do to get around this ..."

get around this?

[BigBuckHunter]

@ Will be interesting to see what malware creators do to get around this ..."

Attrib -w? Flip the Writeprotect dword in StorageDevicePolicies?

BBH

Re:Erm.....What the hell?

[Moryath]

Has to do with crap like this [tomshardware.com] - the theory goes that you may WANT to have an autorun from them for legit reasons (movie on a "read only" flash disk, or a "plug this hard drive in and automatically launch Program X" setup).

Hell, without this, those "U3 Enabled" flash drives (yeah I know, gag puke awful crap software) are even harder to use too. They use a single partition with the U3 software, autoboot it, check for you entering your "password", and only they will it decrypt the OTHER partition on the drive for you.

See where this is going?

Re:Almost, but not quite

[petermgreen]

But flash sticks are a good vector for spreading malware and an annoying proportion of the flash sticks I see are sandisk U3 devices. How long will it be until malware manages to insert itself into the "CD emulation" section of a U3 device?

any USB plug-in device is insecure, period

[evangellydonut]

take any USB controller, have it emulate a Human Interface Device (aka keyboard), use it for the keystrokes of "windows, up, up, up, enter, virus-website, enter" and it's game over. you can do the same on Mac, just a tad more difficult.

Play button

[fishizzle]

CD-ROMs could have kept the common "Play button" interface from the beginning. Everyone knew this procedure. You insert a VHS into a VCR, you press play. You insert a cassette tape into a Walkman, you press play. CD into a CD player, press play. When the CD-ROM came out, wouldn't it logically follow to insert the CD-ROM, then press the "Play button" to execute any "autorun" functionality? That way it's a user-initiated event, but one that your entire target audience is already going to be familiar with. And the users who weren't intended on "playing" the CD-ROM don't press they play button and can go about, uninterrupted, copying it or navigating the file system as they intended. It's not a huge deal, but I just find it odd that Microsoft's implementation of "Autorun" was the solution to this "problem" back in the day.

Re:Erm.....What the hell?

[Bert64]

Modern systems come with cd/dvd recorders by default...
A piece of malware could hijack your burning apps and add itself to any optical media you burn.

Re:FTFA:

[Hi_2k]

Yes, mapping a windows network share would indeed cause autorun.inf to be read.

Re:Erm.....What the hell?

[maxume]

But is autoplay/autorun an automatic turn signal or is it a starter motor?

Re:Erm.....What the hell?

[Toonol]

As someone who likes autorun, my reaction to this is "yeah, because I like doing work myself that a computer is good at".

Computers are HORRIBLE at deciding what is safe to run at what isn't. That's the central security problem, and it probably won't be solved until we have strong AI.

Everything old is new again

[Anonymous Coward]

When I got a laptop loaded with Everybody's Favourite Operating System (Windows Vista), I just started using its indexing search function to launch apps. For example, if I wanted to launch Windows Live Messenger, I'd type in "messenger" and then press enter. If I wanted to launch Firefox, I'd type in "firefox" and press enter.

I didn't make any active effort to do this; it's just more intuitive for me than using my mouse to browse through the labyrinth of Start Menu items.

I've gotten used to doing this in OS X's Spotlight as well (of course, I'd use Quicksilver if I could, but my experience with Macs is contained within my school).

Does anyone else do this, or is it just me?

Re:Play button

[noidentity]

CD-ROMs could have kept the common "Play button" interface from the beginning. Everyone knew this procedure. You insert a VHS into a VCR, you press play.

Actually, VHS players automatically start playing read-only cassettes (and once they reach the end, rewind and then eject them). Pre-recorded tapes have the write-enable tab broken off.

Disable autorun registry key

[foodnugget]

Here's a link to disable autorun on 2k and XP for real. You won't get a prompt for what to do, the system won't try to do anything with a USB key or CD rom or removable drive. I recommend it to anyone who has to put other peoples' USB drives in their systems. http://windowssecrets.com/2007/11/08/02-One-quick-trick-prevents-Autorun-attacks [windowssecrets.com]

Re:Erm.....What the hell?

[EvanED]

OTOH, if Windows just launches it for you, or prompts you to do it, you're just hosed....

Agreed on the first, but disagreed on the second.

Here's my reasoning. Why are you inserting an unknown flash drive anyway? Probably to figure out what's on it. So if Windows didn't prompt, you're probably going to look around the drive anyway, and probably come across the program that the autoplay window in Vista would prompt you to run. If you say "run this program" in the autoplay window, why wouldn't you say "run this program" when you come across it on the disk?

In fact, I'd say that the situation is exactly the reverse. If I saw some untrusted media try to autorun something, I'd be more suspicious of it than if I just stumbled across the program on the drive when looking through. Furthermore, it's a little more resistant to obfuscation by hiding the .exe extension and stuff, since if it asks you to autorun something, you know it's a program.

(This is written from the point of view of a user who isn't clueless. For someone who is careless or ignorant or whatever, I'll acknowledge that prompting is probably more prone to result in the program getting run. That'd be reason to maybe change the default, but if MS did do that, I'd set it back to Vista's current default.)

Re:Erm.....What the hell?

[nabsltd]

If Windows would actually join the 1980s and have decent support for virtual desktops that would alleviate a lot of that, but even in KDE or Gnome it's often the case that I have stuff open on all of the desktops and would still have to move things. (On the tiling WM I'm using now, awesome [naquadah.org], I've got 32 virtual desktops on each monitor, about 1/3 of which are usually used, so there getting to an open desktop would be pretty easy.)

The Windows NT 3.1 Resource Kit [microsoft.com] included a program called TopDesk which still works fine with everything up through XP. It does the same sort of multiple desktop system that your link shows.

I run with and 11x3 layout, so that's 33 total desktops. Windows can be set to follow you to the current desktop, or stay where they were as you switch. You can also have "ghosts", which allow you to force a particular program to always start up on a particular desktop.

Re:Hunt and peck

[collinstocks]

I have to agree. I use gnome-do all the time to run my applications because I can't be bothered searching through the menus if I already know what the program does. I even use it for my IM client: if I want to chat to someone, I enter their name and hit enter as soon as there are enough letters to match their name.

Re:Erm.....What the hell?

[rtb61]

As an interesting side point on that issue, M$ knew all about Sony's root kit prior to it being released in fact they were involved in evaluating it and it was a M$ advertising blogger who announced it to the world not long after it was released and of course just prior to the release of the playstation 3, ahh, the wonderful world of modern marketing techniques.

Re:Erm.....What the hell?

[im_thatoneguy]

CLIs are great IF you know the command to launch it.

What if you type in Word. Do you get MS Word or WordPad or Word Search?

What if you don't know the program's name ("Writer" comes to mind) but you know it's a part of Open Office? What if you don't know anything about the program but would recognize it if you saw it?

The list of things on a computer which a person should know the correct command to launch are very few. Vista's: Windows Key -> "Search Phrase" -> Enter. System seems to be the best. You can search or if you can't find it then look through your program list. It's the best of both worlds.

Now the worst place for a CLI is anywhere the user doesn't know 'what they can do'. If you launch a CL program you're presented with no possibilities. You have no idea what the program can do. It's like driving up to a drive through without a menu. You can start quizing the person on the other end of the little box what they offer but a nice photo menu is the fastest way to absorb data.

I have used this to my advantage

[MobyDisk]

I was arguing with a coworker why autorun is so dangerous. He said he never had a problem with it. So while he was away from his desk, I modified his USB key with an autorun that changes his desktop background to Unicorns and Rainbows. :-)

Diskettes

[GbrDead]

What about floppy disks? Will the write-protection tab enable autorun?