Sign in with
Sign up | Sign in

Microsoft Finally Turns Off AutoRun in Vista, XP

By - Source: Microsoft | B 28 comments

The latest Patch Tuesday turned off AutoRun for Windows Vista and Windows XP.

In addition to the numerous security updates released on Patch Tuesday, Microsoft finally turned off AutoRun for Windows Vista and Windows XP. Now programs will not execute automatically when loaded from USB devices like external hard drives or flash drive sticks. This prevents disguised malware from automatically loading the AutoRun menu when the USB devices are attached. Unfortunately, this also affects legit programs stored on USB storage devices.

Holly Stewart of the Microsoft Malware Protection Center said that the top ten families of malware--including JS/Pornpop, Win32/Autorun and Win32/Taterf--all share one common trait: they abuse the AutoPlay feature of AutoRun. "Although AutoRun is not the only technique these families use (why be a one-trick pony when you can be a swiss army knife?), the statistics on the infection rate of these families by platform indicate that the abuse of AutoRun is more effective on older platforms, like Windows XP," Stewart said.

Originally AutoRun was called "AutoPlay" and designed as a convenience for end-users in Windows 95, allowing them to automatically install programs from a CD, DVD or USB stick after insertion. But as malware writers began to make use of the feature over the years, Microsoft made a few changes with the release of Windows 7, disabling AutoRun whenever the end-user inserts a USB storage device. Microsoft also offered the revised AutoRun as an optional download for the older operating systems. Now it's included in the Windows Update channel.

"We're marking this as an 'Important, non-security update,'" said Adam Shotack from the Microsoft Security Response Center. "It may seem a little odd to call this a 'non-security update,' especially since we're delivering it alongside our February bulletins. But at Microsoft we reserve the term 'Security Update" to mean "a broadly released fix for a product-specific security-related vulnerability.' And it would be odd to refer to AutoRun as a vulnerability."

Shotack said that now was the right time to bring the update to a wider audience. Users will still see the AutoRun menu when a USB storage device is inserted, but there will no longer be an option to run the program(s) from the device. CDs, DVD and USB drives with high-end security features will still AutoRun as before.

"We are aware that someone could write malware to take advantage of [shiny media], but we haven't seen it in the wild," he added. "We also think malware on shiny media would be less likely to have widespread impact, because people burn CDs less often than they insert USB drives."

Microsoft is aware that many Windows users might not like the disabled AutoRun, and is providing a Fix It that reverses the change, located here.

Discuss
Display all 28 comments.
This thread is closed for comments
  • 3 Hide
    jhansonxi , February 9, 2011 10:34 PM
    AutoPlay/AutoRun is 15 years old and it's time the malware authors adopt newer deployment methods. Good riddance to IE6 and ActiveX too.
  • 3 Hide
    Arethel , February 9, 2011 10:38 PM
    This is one of the things I always suggest and turn off for clients, but they always complain later about why "the computer doesn't play music anymore" weeks later when they've forgotten our conversation. ;D
  • 0 Hide
    chickenhoagie , February 9, 2011 10:40 PM
    JS/Pornpop ..so I guess your computer CAN get STD's..interesting.
  • 2 Hide
    mister g , February 9, 2011 11:16 PM
    Less convenience and more security, some people won't like it but in my opinion the extra step of opening my computer and then accessing the files are worth it instead of getting malware onto your PC because a friend couldn't keep his PC clean and something got into the drive.
  • 0 Hide
    Maxor127 , February 9, 2011 11:21 PM
    I didn't even install it since I have autorun disabled to begin with and I didn't feel like making sure that it didn't affect my settings.
  • 0 Hide
    Anonymous , February 9, 2011 11:38 PM
    "Originally AutoRun was called "AutoPlay" and designed as a convenience for end-users in Windows 95, allowing them to automatically install programs from a CD, DVD or USB stick after insertion."

    DVDs did not exist when Windows 95 was released. The DVD-ROM spec was finalized in December 1995. Neither did USB. USB support was added in Windows 98/2000.
  • 0 Hide
    misry , February 9, 2011 11:40 PM
    chickenhoagieJS/Pornpop ..so I guess your computer CAN get STD's..interesting.


    You are kidding right? Pr0n is what pays the rent in some Mom and Pop operations.

    After the scan gets to 100 different viruses or 1000 instances of the same virus, whichever comes first, call the customer. Let them know we won't warranty anything unless we Wipe and Reload. Yes, we will backup all your J-Pegs, at $65 a CD or $150 a DVD. Well yes you can take it home and do it yourself but we'll have to charge you again when you bring it in for the W&R.

    (Most opt to forgo the backup, go out and get more porn and the cycle starts again. >:-D )
  • 1 Hide
    iam2thecrowe , February 9, 2011 11:53 PM
    mayankleoboy1just use kaspersky and disable cd/ usb autorun.

    use kaspersky and you WILL have a security problem if you believe it protects you.
  • 1 Hide
    Djanarak , February 9, 2011 11:57 PM
    "And it would be odd to refer to AutoRun as a vulnerability."
    Makes me want to laugh so hard I'd cry... Pure arrogance and stupidity in my opinion. Ever since the destructive capability of autorun became apparent, the US CERT highlighted it as a severe security risk, and it is. Anyone who uses USB drives on public computers and then inserts it into their computer at home was carrying a death sentence for their home PC if they didn't have autorun disabled. Microsoft's autorun update is a decade late to say the least, but at least now users making the most of their old OS won't have to reformat as often. I suspect Microsoft refused to disable autorun simply because it created a market for antivirus vendors.
  • 2 Hide
    Camikazi , February 10, 2011 12:30 AM
    DjanarakAnyone who uses USB drives on public computers and then inserts it into their computer at home was carrying a death sentence for their home PC if they didn't have autorun disabled.

    The moral of the story is, always use protection, never know what those public PCs are carrying :p 
  • 0 Hide
    Wish I Was Wealthy , February 10, 2011 1:15 AM
    I have disabled auto run already,but before I just checked the box to do nothing on insetion of any kind of media...I thought it should be up to the owner of the PC to decide what to do with autorun...
  • 0 Hide
    caeden , February 10, 2011 3:16 AM
    There was a power tools pack made by microsoft for winXP users that had an option to turn off auto-play/run, which I used for years. I never realized it was a security risk, I just hated the program because I don't want to do the same thing every time I insert media. Sometimes my CD is a sermon/speech that I don't want added to my library (or those silly Rosetta Stone discs that are rooted in there somewhere but I have yet to bother removing, but always manage to play when in random... but only when someone is near by). Some DVDs play better in VLC, others go to WMP, other times it is going to DVD decryptor, and yet other times I want to get at the data content and not the movie. And don't get me started on USB drives, they have a million uses, most of which require explorer, but some don't, and explorer is always up anyways so I don't need a menu to pop up asking if I want to open it!
  • 0 Hide
    iamtheking123 , February 10, 2011 9:12 AM
    Autorun is annoying anyways, so I disable it on new installs regardless of security impact (Group Policy Editor).
  • 0 Hide
    sudeshc , February 10, 2011 9:35 AM
    This wasn't the correct way to deal with that issue...........
  • 0 Hide
    enforcer22 , February 10, 2011 9:37 AM
    Haveyouactuallyusedwindows95"Originally AutoRun was called "AutoPlay" and designed as a convenience for end-users in Windows 95, allowing them to automatically install programs from a CD, DVD or USB stick after insertion."DVDs did not exist when Windows 95 was released. The DVD-ROM spec was finalized in December 1995. Neither did USB. USB support was added in Windows 98/2000.


    Im not sure about dvd's i do remember they were announced to be on sale by end of 95 but didnt care. And um USB and IE 3.01 OR 4.01 (cant remember which) were added in 95 in revision C which was out before 98. Of course 98 did have native support from the getgo.
  • 0 Hide
    wiyosaya , February 10, 2011 12:56 PM
    Djanarak"And it would be odd to refer to AutoRun as a vulnerability."Makes me want to laugh so hard I'd cry... Pure arrogance and stupidity in my opinion. Ever since the destructive capability of autorun became apparent, the US CERT highlighted it as a severe security risk, and it is. Anyone who uses USB drives on public computers and then inserts it into their computer at home was carrying a death sentence for their home PC if they didn't have autorun disabled. Microsoft's autorun update is a decade late to say the least, but at least now users making the most of their old OS won't have to reformat as often. I suspect Microsoft refused to disable autorun simply because it created a market for antivirus vendors.

    Exactly.

    CYA on Microsoft's part if you ask me.

    Just think how many lawsuits would be filed if Microsoft said something like, "We finally realized that AutoRun is a security problem, and it has seriously damaged some computers as well as taken hundreds of thousands of hours of time, cumulatively, from other users who had to clean or have cleaned their computers after encountering a malicious virus that exploited AutoRun."

    Personally, I turned it off years ago. I find it a nuisance to have to respond to some dialog every time I stick a CD/DVD in my drive.
  • 0 Hide
    christop , February 10, 2011 1:36 PM
    This was turned off a long time ago for me..
  • 0 Hide
    cookoy , February 10, 2011 2:18 PM
    it was a race between the antivirus scanning the usb files and the trojan virus running automatically before it gets detected. and a lot of times the latter wins.
  • 0 Hide
    hythos , February 10, 2011 2:45 PM
    Now if they could only come up with a security patch to address blocking the most severe vulnerability - it's bundled and installed with so many other applications... a virus, known as Google.
  • 0 Hide
    Anonymous , February 10, 2011 3:19 PM
    I disabled WIndows years ago :-D
    Now I don't worry about such things..
Display more comments