Microsoft Blocks AutoRun/AutoPlay Vulnerability in XP, Vista, and Windows Server [Updated!]


AutoRun was originally intended to help automatically start programs stored on optical media. However, once USB drives became popular, AutoRun also became a popular way to launch programs from hard disks and thumb drives by working with Windows' built-in AutoPlay functionality.

AutoRun Versus AutoPlay

AutoRun uses an AutoRun.inf file in the root folder of CD or DVD media and other removable drives to specify what happens when the media is inserted or the drive is plugged into a USB or other hot-swap port. Allowable actions include launching a program, displaying an icon, and so on.

AutoPlay is a hot-swap-drive-specific technology in Windows that displays a list of actions that are specific to the media and its content. For example, if you insert a music CD, the AutoPlay menu would provide options for music playback with Windows Media Player or other installed media playback programs. If you connect a USB thumb drive or hard disk that contains different types of media, the AutoPlay list displays programs that can be used to view or play back each of the supported media types (such as photos, music, videos, and so on) stored on the drive. In Windows XP, AutoPlay is configured on a drive-by-drive basis, using programs such as TweakUI . Windows Vista and Windows 7 control AutoPlay on a media-type basis through the Control Panel's AutoPlay applet.

On removable drives, any executable files included in the AutoRun.inf file are automatically added to the AutoPlay menu [thanks to reader MRrelabled for suggesting this new section - updated 8-31-2009 ].

AutoRun is Not Your Friend (Unless You're a Malware Developer)

Unfortunately, AutoRun's ability to provide instant launching for programs has also been widely exploited by malware such as the notorious Conficker/Downadup worm and others.

First Windows 7, Now the Rest

Back in May, we reported how Microsoft changed how AutoPlay and AutoRun work in Windows 7, preventing USB drives from automatically starting programs using AutoRun. Now, as promised, Redmond's reining in AutoRun's interaction with AutoPlay on Windows XP, Windows Vista, and Windows Server 2003 with its KB971029 security update . It's not available on Windows Update yet, so if you want the update, download and install it manually.

Once you install KB971029, only CD and DVD drives (and programs that emulate CD/DVD drives, such as U3 , which is used by SanDisk and other USB flash drive makers) can use AutoRun.

Better Security, But at a Price

Are there downsides to disabling AutoRun? Microsoft points out that you'll need to launch programs from USB drives manually - unless the USB drive emulates a CD drive when you plug it in (such as SanDisk Cruzers and others that use U3 software).

Like the improved security? Find it annoying? Want to report problems with some of your favorite utilities? Hit Comment and sound off.

Around the web