Microsoft Blocks AutoRun/AutoPlay Vulnerability in XP, Vista, and Windows Server [Updated!]
Posted 08/31/09 at 11:41:03 AM by Mark Edward Soper
Comments
Print
Email
AutoRun was originally intended to help automatically start programs stored on optical media. However, once USB drives became popular, AutoRun also became a popular way to launch programs from hard disks and thumb drives by working with Windows' built-in AutoPlay functionality.
AutoRun Versus AutoPlay
AutoRun uses an AutoRun.inf file in the root folder of CD or DVD media and other removable drives to specify what happens when the media is inserted or the drive is plugged into a USB or other hot-swap port. Allowable actions include launching a program, displaying an icon, and so on.
AutoPlay is a hot-swap-drive-specific technology in Windows that displays a list of actions that are specific to the media and its content. For example, if you insert a music CD, the AutoPlay menu would provide options for music playback with Windows Media Player or other installed media playback programs. If you connect a USB thumb drive or hard disk that contains different types of media, the AutoPlay list displays programs that can be used to view or play back each of the supported media types (such as photos, music, videos, and so on) stored on the drive. In Windows XP, AutoPlay is configured on a drive-by-drive basis, using programs such as TweakUI. Windows Vista and Windows 7 control AutoPlay on a media-type basis through the Control Panel's AutoPlay applet.
On removable drives, any executable files included in the AutoRun.inf file are automatically added to the AutoPlay menu [thanks to reader MRrelabled for suggesting this new section - updated 8-31-2009].
AutoRun is Not Your Friend (Unless You're a Malware Developer)
Unfortunately, AutoRun's ability to provide instant launching for programs has also been widely exploited by malware such as the notorious Conficker/Downadup worm and others.
First Windows 7, Now the Rest
Back in May, we reported how Microsoft changed how AutoPlay and AutoRun work in Windows 7, preventing USB drives from automatically starting programs using AutoRun. Now, as promised, Redmond's reining in AutoRun's interaction with AutoPlay on Windows XP, Windows Vista, and Windows Server 2003 with its KB971029 security update. It's not available on Windows Update yet, so if you want the update, download and install it manually.
Once you install KB971029, only CD and DVD drives (and programs that emulate CD/DVD drives, such as U3, which is used by SanDisk and other USB flash drive makers) can use AutoRun.
Better Security, But at a Price
Are there downsides to disabling AutoRun? Microsoft points out that you'll need to launch programs from USB drives manually - unless the USB drive emulates a CD drive when you plug it in (such as SanDisk Cruzers and others that use U3 software).
Like the improved security? Find it annoying? Want to report problems with some of your favorite utilities? Hit Comment and sound off.
About time
Submitted by Carey on Mon, 08/31/2009 - 3:43pm
It's about time, I've had this useles and unsafe feaute disabled on every machine I've ever used.
Horrible in Afghanistan
Submitted by d_sellers1 on Mon, 08/31/2009 - 3:33pm
I'm currently deployed to Afghanistan and a good majority of the people out here have contracted some form of USB transmitted virus. On an infected PC, the virus will copy itself to the drive and set the autorun.inf to automatically run or when the drive is double-clicked from My Computer (which in turn runs the autorun).
The viruses that I have found like to sit in C:\Users\<your_username>\ and is set to system and hidden. Using ATTRIB in a command prompt will show the hidden system files (or setting your view in Explorer to show hidden file and not hide system files will do the same). Kill the offensive program in Task Manager; delete the virus (there shouldn't be any .exe or .vbs files in the \<your_username>\ folder); use MSConfig to remove the startup entry.
Same basic steps on a USB drive (thumbdrive, hard drive, digital camera memory card, iPod Classics, etc.). The autorun.inf will be system and hidden along with one or more .exe or .vbs files. The most common is start.exe which would appear to be harmless. Delete them.
Better yet, edit the autorun.inf and delete everything in it (make it blank) and save. Right click on the autorun.inf and go to Properties and then the Security tab. Click the Advanced button and uncheck the Inherit permission from parent. Click Remove followed by OK as many times as you need to close all the windows. This takes away your permissions to edit the file even if you are an administrator. This will prevent other infected systems from giving your drive the virus. You will still get the hidden executable file on the drive but without the autorun.inf to run it, it won't automatically run. Also note that the drive must be formatted to NTFS and not FAT/FAT32.
To protect your PC, you can disable the autorun feature with a registry. Open notepad and copy the text below and save as "noautorun.reg" (be sure to use the quotation marks). Double click the file that you just created and click Yes when asked if you want to add it to the registry. Reboot just to be safe. No more autorun. (This is useful for soldiers like myself that are deployed that won't be able to download the Windows Update.)
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"Even with current anti-virus definitions, Norton seems to let about 95% of the infections go undetected. Of all the drives and systems that I have checked, Norton has only alerted me to three...
Derek
Great tips, and thanks for your service to our country
Submitted by Marcus_Soperus on Tue, 09/01/2009 - 12:29pm
This comment is a must-read for anyone who wants to prevent AutoRun-based malware. Thanks very, very much for what you're doing in Afghanistan.
-----------------------------------------------------------------------------------------------------
It's amazing how illogical a business built on binary logic can be.
Noooooooooooooooooooo!
Submitted by Techrocket9 on Mon, 08/31/2009 - 1:44pm
Portableapps is/are doomed!
_____________________________________________________
An army of pacifists can be defeated by one man with the will to fight.
Autorun has always been a
Submitted by Elric on Mon, 08/31/2009 - 10:52am
Autorun has always been a misfeature, so I don't mind seeing it go at all. I think this was a good move.
Submitted by MeTo on Mon, 08/31/2009 - 10:20am
Auto play/Auto run Should have never been introduced IMO. It was something to make it easy to install programs and run games. It also runs bad stuff easy. What is so hard about clicking on a icon to start a program.
Submitted by MRrelabled on Mon, 08/31/2009 - 9:16am
First why don't you describe the difference between autorun and autoplay. autorun and autorun.inf files are what malware uses. autorun has been a pain in the rear ever since it began, and personally I have no problem with USB key not being able to autorun there crapware and sometimes malware straight from the factory.
We're talking computers here people if you want one specific usb key, card or drive to run this can be done, each drive is different, each connection is different,
If you want a security program to check autorun.inf file before they run this could be done too.
Maybe it's time to get people with experience with computers working on security rather than teenagers.
Submitted by Marcus_Soperus on Mon, 08/31/2009 - 11:00am
I've added an in-article link back to the original article about changes to Windows 7's AutoPlay/AutoRun and have also written a new section for the current article that contrasts these features. If you want more control over AutoPlay than Windows XP provides, you will like the level of control in Windows Vista and Windows 7.
-----------------------------------------------------------------------------------------------------------------------
It's amazing how illogical a business built on binary logic can be.
Already had it disabled
Submitted by To0nces on Mon, 08/31/2009 - 9:10am
I prefer to have auto-run off anyway, as I don't like a pop up when I insert a disc.
Must Read Articles
Feature
Review
Feature
Feature
Feature
Most Popular Articles
This Month's Issue
FEATURE How to Get FREE Programs, Services, Software & MoreFEATURE Digital Photo Printer RoundupHOW TOBuild a 3D CameraFEATUREDIY Arcade PCWHITE PAPERHow TRIM Works
Technology News
Computer Cooling Fans
Computer Cases
PC Game Controllers
PC Games
Computer Hardware
Headphones
MP3 Players
Stream Video
Computer Mouse
Monitors
Motherboards
NAS Storage
Networking
Laptop Computers
DVD Burner
Digital Cameras
Portable Storage
Computer Accessories
Smartphone
Antivirus Software
Sound Cards
Speakers
Computer Systems
Thumb Drives
Video Cameras
Video Card Reviews
Water Cooling
Gadgets
- Keyboards
© 2009 Future US, Inc. All Rights Reserved.