Microsoft Finally Turns Off AutoRun in Vista, XP

By Kevin Parrish
published

The latest Patch Tuesday turned off AutoRun for Windows Vista and Windows XP.

In addition to the numerous security updates released on Patch Tuesday, Microsoft finally turned off AutoRun for Windows Vista and Windows XP. Now programs will not execute automatically when loaded from USB devices like external hard drives or flash drive sticks. This prevents disguised malware from automatically loading the AutoRun menu when the USB devices are attached. Unfortunately, this also affects legit programs stored on USB storage devices.

Holly Stewart of the Microsoft Malware Protection Center said that the top ten families of malware--including JS/Pornpop, Win32/Autorun and Win32/Taterf--all share one common trait: they abuse the AutoPlay feature of AutoRun. "Although AutoRun is not the only technique these families use (why be a one-trick pony when you can be a swiss army knife?), the statistics on the infection rate of these families by platform indicate that the abuse of AutoRun is more effective on older platforms, like Windows XP," Stewart said.

Originally AutoRun was called "AutoPlay" and designed as a convenience for end-users in Windows 95, allowing them to automatically install programs from a CD, DVD or USB stick after insertion. But as malware writers began to make use of the feature over the years, Microsoft made a few changes with the release of Windows 7, disabling AutoRun whenever the end-user inserts a USB storage device. Microsoft also offered the revised AutoRun as an optional download for the older operating systems. Now it's included in the Windows Update channel.

"We're marking this as an 'Important, non-security update,'" said Adam Shotack from the Microsoft Security Response Center. "It may seem a little odd to call this a 'non-security update,' especially since we're delivering it alongside our February bulletins. But at Microsoft we reserve the term 'Security Update" to mean "a broadly released fix for a product-specific security-related vulnerability.' And it would be odd to refer to AutoRun as a vulnerability."

Shotack said that now was the right time to bring the update to a wider audience. Users will still see the AutoRun menu when a USB storage device is inserted, but there will no longer be an option to run the program(s) from the device. CDs, DVD and USB drives with high-end security features will still AutoRun as before.

"We are aware that someone could write malware to take advantage of [shiny media], but we haven't seen it in the wild," he added. "We also think malware on shiny media would be less likely to have widespread impact, because people burn CDs less often than they insert USB drives."

Microsoft is aware that many Windows users might not like the disabled AutoRun, and is providing a Fix It that reverses the change, located here.

Kevin Parrish
28 Comments Comment from the forums
  • jhansonxi
    AutoPlay/AutoRun is 15 years old and it's time the malware authors adopt newer deployment methods. Good riddance to IE6 and ActiveX too.
    Reply
  • Arethel
    This is one of the things I always suggest and turn off for clients, but they always complain later about why "the computer doesn't play music anymore" weeks later when they've forgotten our conversation. ;D
    Reply
  • chickenhoagie
    JS/Pornpop ..so I guess your computer CAN get STD's..interesting.
    Reply
  • mister g
    Less convenience and more security, some people won't like it but in my opinion the extra step of opening my computer and then accessing the files are worth it instead of getting malware onto your PC because a friend couldn't keep his PC clean and something got into the drive.
    Reply
  • Maxor127
    I didn't even install it since I have autorun disabled to begin with and I didn't feel like making sure that it didn't affect my settings.
    Reply
  • "Originally AutoRun was called "AutoPlay" and designed as a convenience for end-users in Windows 95, allowing them to automatically install programs from a CD, DVD or USB stick after insertion."

    DVDs did not exist when Windows 95 was released. The DVD-ROM spec was finalized in December 1995. Neither did USB. USB support was added in Windows 98/2000.
    Reply
  • misry
    chickenhoagieJS/Pornpop ..so I guess your computer CAN get STD's..interesting.
    You are kidding right? Pr0n is what pays the rent in some Mom and Pop operations.

    After the scan gets to 100 different viruses or 1000 instances of the same virus, whichever comes first, call the customer. Let them know we won't warranty anything unless we Wipe and Reload. Yes, we will backup all your J-Pegs, at $65 a CD or $150 a DVD. Well yes you can take it home and do it yourself but we'll have to charge you again when you bring it in for the W&R.

    (Most opt to forgo the backup, go out and get more porn and the cycle starts again. >:-D )
    Reply
  • iam2thecrowe
    mayankleoboy1just use kaspersky and disable cd/ usb autorun.use kaspersky and you WILL have a security problem if you believe it protects you.
    Reply
  • Djanarak
    "And it would be odd to refer to AutoRun as a vulnerability."
    Makes me want to laugh so hard I'd cry... Pure arrogance and stupidity in my opinion. Ever since the destructive capability of autorun became apparent, the US CERT highlighted it as a severe security risk, and it is. Anyone who uses USB drives on public computers and then inserts it into their computer at home was carrying a death sentence for their home PC if they didn't have autorun disabled. Microsoft's autorun update is a decade late to say the least, but at least now users making the most of their old OS won't have to reformat as often. I suspect Microsoft refused to disable autorun simply because it created a market for antivirus vendors.
    Reply
  • Camikazi
    DjanarakAnyone who uses USB drives on public computers and then inserts it into their computer at home was carrying a death sentence for their home PC if they didn't have autorun disabled.The moral of the story is, always use protection, never know what those public PCs are carrying :P
    Reply