Newsletter Archives

• Microsoft will disable AutoRun and change AutoPlay

  Posted on April 30, 2009 at 06:48 CDT by woody • Comment in the Forums

  Remember all the angst over Windows AutoPlay and AutoRun? (For a detailed discussion of the differences between AutoPlay and AutoRun, start with this Wikipedia article.) AutoPlay was a major infection vector for Conficker. It’s always been a huge security hole in Windows.

  Microsoft just announced that it’s disabling AutoRun in Windows 7, and changing the way AutoPlay works. The details are a bit hard to follow – the terminology is more than a bit obfuscating – but here’s what’s happening:

  As I explained in my Windows Secrets column in January, it’s very easy to create a file called autorun.inf that can confuse the living daylights out of people. If you stick this custom-made autorun.inf on a USB drive or burn it on a CD, the commands in that file will cause Windows to display a (potentially infective) program on the AutoPlay menu, the menu that appears every time you insert a USB drive or CD into your computer (see screen shot).

  In fact, autorun.inf controls what appears on the AutoPlay list if you stick it on any kind of removable media – USB drive, CD, DVD, SD card (so a card from your camera could infect other computers), and so on.

  Microsoft is changing Windows so it behaves in two different ways, depending on whether the autorun.inf file is stuck on (1) a CD/DVD, or (2) any other kind of  media, notably a USB drive or SD card.

  In the future, when Windows finds an autorun.inf file on a USB drive or SD card, it ignores the file. Nothing happens. You can create the most diabolically clever autorun in the history of mass infections, put it on a USB drive, and if someone sticks the drive in a properly patched Windows machine, it won’t do squat. AutoPlay doesn’t list anything from the autorun.inf, and nothing runs automatically.

  In the future, when Windows finds an autorun.inf file on a CD or DVD, it shows the contents of the autorun.inf in the AutoPlay window, but the new, revised AutoPlay window warns you that the entry associated with autorun.inf is from the CD, not from Microsoft. The AutoPlay warning says “Install or run program from your media.”

  And no matter where the autorun.inf file comes from, it can’t launch its own program. You have to do the clicking – point the gun at your own foot and pull the trigger.

  The recently leaked Windows 7 Release Candidate, which should be widely available next week, already has those changes to AutoRun and AutoPlay. In addition, says Microsoft, “we are planning to release an update in the future for Windows Vista and Windows XP that will implement this new behavior.”

  It’s about time.

  Oh. There’s one little caveat. For those of you who suffer with U3 – the technology built into some USB drives that makes part of the drive look like a CD drive – Microsoft hasn’t figured out how to treat the whole USB drive like a USB drive. Instead, the CD part will be subject to the same handling as a CD. Quoth the Softies, “It is worth noting that some smart USB flash drives can pose as a CD/DVD drive instead of standard ones (see Wikipedia for an example). In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level.”

  Windows Patches/Security autoinf, autorun, Conficker, u3, Windows 7