Posted 09/14/09 at 05:49:54 PM by Jason Barry

On Friday, Microsoft pushed updates for Windows operating systems that disables the AutoRun feature for non-optical devices.  This update affected Windows XP, Vista, Server 2003, and 2008. Microsoft already disables the feature in the, soon to be available, Windows 7 OS. The update was available voluntarily back in August.

AutoRun (and AutoPlay) was originally developed out of convenience to eliminate the need for users to browse the media for the correct file to open.  However, recently it has been exploited to automatically run malware and other obtrusive software applications without the users consent.

Interestingly, the update doesn’t cripple removable optical media (i.e. CDs and DVDs) from running AutoRun procedures.  So companies, such as U3, who manufacture their devices to represent themselves as CDs are largely unaffected by the update.

Read More

Posted 08/31/09 at 11:41:03 AM by Mark Edward Soper

AutoRun was originally intended to help automatically start programs stored on optical media. However, once USB drives became popular, AutoRun also became a popular way to launch programs from hard disks and thumb drives by working with Windows' built-in AutoPlay functionality. Unfortunately, AutoRun's ability to provide instant launching for programs has also been widely exploited by malware such as the notorious Conficker/Downadup worm and others. Microsoft changed how AutoRun works in Windows 7 RC, but until now, Windows XP, Windows Vista, and Windows Server 2003 have been wide open to USB-based AutoRun attacks. To find out how Redmond's reining in AutoRun, join us after the jump.

Read More

Posted 05/01/09 at 07:04:35 PM by Mark Edward Soper

AutoRun and AutoPlay, Microsoft's "dangerous duo" for launching programs from CD/DVD and other removable media types, have become among malware authors' favorite infection vectors - and Microsoft has finally said, "enough already!"

A research study by Forefront Client Security cited by the Engineering Windows 7 blog determined that infections that can be started with AutoRun amounted to 17.7% of detected infections in the second half of 2008.

Although AutoRun was originally designed strictly for optical media, it can be used for other types of media. For example, you can create an autorun.inf file that adds the program on the media to the AutoPlay menu Windows displays, and change the default icon to make the malware program mimic a legitimate program. Conficker used this method to spread, as illustrated here.

Starting in Windows 7 RC, Microsoft has changed how both AutoRun and AutoPlay work:

1. AutoPlay no longer supports AutoRun on non-optical removable media. An autorun.inf file on a USB or other type of non-optical removable media will be disregarded. Only AutoPlay options that pertain to the types of files on the media will be listed.
2. When AutoPlay displays programs present on the media, the dialog now states that those programs will be run from the media.

To learn more about these changes, and to find out what other Microsoft operating systems will eventually get similar protection, join us after the jump. 

Read More