In addition to the numerous security updates released on Patch Tuesday, Microsoft finally turned off AutoRun for Windows Vista and Windows XP. Now programs will not execute automatically when loaded from USB devices like external hard drives or flash drive sticks. This prevents disguised malware from automatically loading the AutoRun menu when the USB devices are attached. Unfortunately, this also affects legit programs stored on USB storage devices.
Holly Stewart of the Microsoft Malware Protection Center said that the top ten families of malware--including JS/Pornpop, Win32/Autorun and Win32/Taterf--all share one common trait: they abuse the AutoPlay feature of AutoRun. "Although AutoRun is not the only technique these families use (why be a one-trick pony when you can be a swiss army knife?), the statistics on the infection rate of these families by platform indicate that the abuse of AutoRun is more effective on older platforms, like Windows XP," Stewart said.
Originally AutoRun was called "AutoPlay" and designed as a convenience for end-users in Windows 95, allowing them to automatically install programs from a CD, DVD or USB stick after insertion. But as malware writers began to make use of the feature over the years, Microsoft made a few changes with the release of Windows 7, disabling AutoRun whenever the end-user inserts a USB storage device. Microsoft also offered the revised AutoRun as an optional download for the older operating systems. Now it's included in the Windows Update channel.
"We're marking this as an 'Important, non-security update,'" said Adam Shotack from the Microsoft Security Response Center. "It may seem a little odd to call this a 'non-security update,' especially since we're delivering it alongside our February bulletins. But at Microsoft we reserve the term 'Security Update" to mean "a broadly released fix for a product-specific security-related vulnerability.' And it would be odd to refer to AutoRun as a vulnerability."
Shotack said that now was the right time to bring the update to a wider audience. Users will still see the AutoRun menu when a USB storage device is inserted, but there will no longer be an option to run the program(s) from the device. CDs, DVD and USB drives with high-end security features will still AutoRun as before.
"We are aware that someone could write malware to take advantage of [shiny media], but we haven't seen it in the wild," he added. "We also think malware on shiny media would be less likely to have widespread impact, because people burn CDs less often than they insert USB drives."
Microsoft is aware that many Windows users might not like the disabled AutoRun, and is providing a Fix It that reverses the change, located here.