Microsoft Windows Autorun Updates Restricts Functionality
One of the updates of yesterday's patch day slipped through my grasps, mainly because I'm running Windows 7 and the update was not for that operating system. Ghacks reader Ilev let me know about it in the comments of my patch day overview guide Microsoft Security Bulletin Overview February 2011.
Autorun has been a problematic feature for some time in a security context as it provides the means to automatically run files on removable drives, network shares, optical discs and other media if an autorun.inf file is present.
The update for Windows Autorun has been available for some time. To be precise, it was first released on February 24 by Microsoft and originally made available on the company's Download Center. Administrators had to manually download the update and install it on devices to benefit from better protection against autorun attacks.
Yesterday changed the manual nature of the update as Microsoft pushed it on Windows Update; any device with Windows Update set to automatic receives this autorun update automatically.
The update applies to all pre-Windows 7 Microsoft operating systems including Windows XP, Windows Vista and the server operating systems Windows Server 2003 and 2008. Windows 7 is not affected as it already has the restriction in place.
The update restricts AutoPlay functionality to "CD and DVD media". This protects customers "from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file".
It basically blocks AutoPlay on all devices and media except CD and DVD media even if they contain an autorun.inf file. The only information that is accepted from autorun files is label and icon, any other keys, e.g. action which links to a file, are ignored.
Customers may experience several issues after applying the update, including:
- Many existing devices in the market, and many upcoming devices, use the Autorun feature with the AutoPlay dialog box to present and install software when DVDs, CDs, and USB flash drives are inserted. The AutoPlay behavior with CD and DVD media is not affected by this update.
- Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB flash drives. Users will have to manually install the software. To do this, users click Open folder to view the files, browse to the software's setup program, and then double-click the setup program to run the program manually.
- Some USB flash drives have firmware that present these USB flash drives as CD drives when you insert them into computers. The AutoPlay behavior with these USB flash drives is not affected by this update.
The update is only offered if it has not already been installed on the system. Additional information about the update are available at Microsoft's Security Advisory and the blog post Deeper insight into the Security Advisory 967940 update by Adam Shostack.
The change to how Autorun works was first made available in Feb. 2009.
Also, it is NOT automatically installed. While, yes, it is available in
Windows/Microsoft update, it is an optional patch.
And, since it is only a partial disabling of autorun, why bother?
A full total disabling of autorun on ALL devices can be done with a simple
registry patch. See
http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives
M$ is taking the steps of Apple, deciding for the users how to run their computers, and all in the name of security ? So once again, the user is stupid, we know better…
Are you right in the head Ronen? Disabling Autorun means users can have greater control of their computer since it won’t automatically run programs when you insert a USB. Using your kindergarten logic, *nix should give all users root privileges. Wow!
Autorun eater would be a good choice too instead of this Microsoft patch.
Instead of this update, we could install Panda USB vaccine,USB Guardian,etc. or tweak registry to disable autorun.