Microsoft's security team plans to retire a much-abused feature in its Windows operating system that uses flash drives and other removable media to spread malware. Beginning with Release Candidate 1 of Windows 7, the operating system will no longer display AutoRun when most removable media is connected. Up to now, the feature …
Everyone Should Turn Off Auto Run
First of all, there is no excuse in the world to have Auto Run activated on your Windows computer. It is too big a security risk, used by big companies (e.g., Sony) and malware authors alike to abuse your trust and violate your security. It's not worth the tiny convenience.
As for U3, the company has a utility that can remove the faux-CD partition. This partition should be removed from all new thumb drives as it is a huge security risk, and probably a violation of company rules if used in that environment. Again, it's a bad idea whose utility is outweighed by the risk.
Shell Hardware Detection
Startup Type: Disabled
Paris hates virii in her boot, too.
Why do they make it so hard?
Why not just have a "turn off autorun" check box.
They have one for other stupid "features" like hide known file types. All I can think is that they make it hard at the request of companies like Sony and Macrovision who like to be able to install crap you don't want.
One of Microsoft's problems is that they have something called AutoRun, and they have something called AutoPlay. If I remember correctly, the behavior mentioned in the beginning of this article is actually AutoPlay (the window showing the type of media and asking what you want to do), whereas AutoRun is the method used by flash drives and optical discs to automatically run an executable upon insertion. Microsoft has never made dealing with either of these an easy task. Often times, even when you disable AutoPlay for a specific types of media, Windows will pop that window up again the next time you insert a disc/drive.
More importantly, what's so difficult about going into Explorer or My Computer, selecting the drive, and clicking on setup.exe? Is that really such a complicated task that people can't do it? It's so difficult that Microsoft felt the need to automate that three-step process? If you can't follow those three simple steps, then you probably won't be able to use the software once it's installed.
If they insist on keeping AutoRun around, could they at least prevent it from locking up the Explorer process while it waits for the disc to spin up and AutoRun to execute? Inserting a CD should not cause my desktop, Start menu, or any other Explorer windows to stop responding.
now they just need to do the same to windoze
...disable autorun on all drive types EXCEPT for optical drives (CD/DVD/HDDVD/BR drives)?
I sometimes help around my parents' shop and one of the things I make sure is that autorun is disabled on all drive types EXCEPT for the optical drives. If you haven't noticed/experienced it, local/network drives, by default, is allowed autorun. Stupid, huh? I don't see any reason why these kind of drives would need autorun. Yes, one can think of some reasons; but why?
If they really want to minimize the hole autorun presents, disable autorun on ALL drives EXCEPT optical drives (but also make it easy to complete disable autorun).
13 years later and they only just figure it out
Windows 95 brought you AutoRun
Windows XP brought you AutoPlay
Both are gaping security holes, firmly cementing the common knowledge that Microsoft have not a clue about Security, and that Windows is indeed a single-user operating system with some flimsy multi-user extensions.
Microsoft's security team are getting better now, but that's like saying a convicted rapist who has repented for his crimes is getting better.
There are a large number of features which should be disabled by default but aren't, and most of these features are very difficult to get to, which is why Windows suffers from so much malware and viruses
Do they think like software engineers?
".....if you insert a USB flash drive that has photos and has been infected by malware, you can be confident that the .."
So what about the case where the USB drive does NOT have photos but has been infected by malware?
Windows needed for Mac and Linux security
"now they just need to do the same to windoze"
No no no, we need Windoze because it's "low-hanging fruit" to keep the hackers happily occupied with easy stuff, so that they leave the rest of the os's alone (mostly).
Don't think that if Windows were to suddenly become extinct, that the botnet owners/spammers/etc would just go out and get *real* jobs. They'd just modify their battle-plan to include and target other os's too (nothing is impossible, although as everyone says they'd have to work harder at it).
Disbable it everywhere
Why differentiate between optical devices, network devices, local devices and USB?
Malware writers don't
Disable Autorun on all devices regardless of type. Network drive autorun remains a favourite way for malware to spread over a network and USB is obviously hammered on a daily basis. I absolutely guarentee that if you leave in optical devices these will get exploited as well (OK a lot less of a threat but still a threat)
As for the "usability" aspect... If you need autorun to make your computer usable You. Should. Not. Be. Using. One
Technical icon because although this isn't technical at all apparently it is too technical for some!
Ubuntu 9.x added support for autorun
Ubuntu 9.x added support for autorun. Now linux users will be exposed to threats...
As of Vista Auto Run is very useful. Rather than auto running it, it presents a dialogue/menu which allows you to choose what to auto run.. or not.
I use it to fire up a Portable Media Center installation from a portable hard disk. It only saves a few clicks sure, but why not, I was under the impression the computer was here to save me time.
If I don't click run, it's not going to run. Simple as.
And while they're at it...
...if I've told Windows to use iTunes for playing audio CDs and insert an audio CD while doing something else else in Media Player, I do NOT want Media Player to drop what it was doing and start playing the CD instead. Just do as you're fscking told, m'kay!
Next dump "My Computer"
How many current Windows users know the difference between Windows Explorer and My Computer? How many even know Windows Explorer exists ?
Yet the difference is crucial -- My Bloody Computer (effectively) autoruns anything you select with it. Not clever.
Meanwhile the more useful Windows Explorer which shows you stuff properly without automatically running it has been demoted to an Accessory.
> More importantly, what's so difficult about going into Explorer or
> My Computer, selecting the drive, and clicking on setup.exe?
Are you kidding? I deal with people, on a daily basis, for whom "My Computer" is too confusing. "Double-click setup.exe" might as well be "Knit a formula 1 car out of star dust" for most people.
You've clearly never worked in IT support where the first rule is "Remember that all users are complete retards".
An even simpler solution
Don't put dodgy media into your PC in the first place and it won't matter if Windows runs it.
S'funny because my experience is that all IT support staff are retards too ...
Disable Autoplay too
I have a fully patched Vista 64 system (I'm sorry too). All the options for autorun are disabled, however when I plug in my external drive array, it still decides to scan the WHOLE BLOODY THING to decide what autorun options to present, even though they are disabled!!
I've tried the registry hacks to disable autorun and autoplay on all media types in WinXP and Vista but then it doesn't automount the drive, and unlike Linux I don't know how to force windows to mount a USB disk that is plugged into it :(
Although to be honest the BIGGEST security aspect with all versions of windows is that you either don't allow a program to run, or you allow it to ravage unchecked. It is the real world equivalent of either not answering your doorbell, or openning the door and saying "come in go through my house, take anything you want, change anything you want, I don't care". Programs can delete / change anything to do with windows or any other program; install services, redirect associations, etc.
how difficult can it be?
Offer to run applications tied to media mime types or an explorer window or "pick your own app" option which can be changed from a "mounted media" list in the toolbar.
Lots of viruses or an extra click for users... and MS takes the virus route.
"Tough on security, tough on the causes of security."
Oi Valve! Where are my linux games?
RE: Re: Why?
Then they should fucking well learn how to use computers. If you can't steer a car you're not allowed to drive --and you certainly can't crash into whatever the hell you like and blame it on a mechanic.
autorun + fedora
Er, actually Gnome has had autorun for a while though its somewhat smarter.
If you attach a device that contains a known "photo" filesystem (eg a DCIM type folder) it'll start your chosen photo browser. If you attach a device that contains music or is a DVD, it will launch your chosen media player. Otherwise it just opens the file manager. Gnome won't autorun random executables from the removable media.
(admittedly WINE will try to run Autorun.exe if present, but its easy to Just Say No...)
People could just learn to read
I've seen the types of viruses mentioned that appear in the autoplay menu with misleading names such as "Open folder to view files" and they're horribly obvious. It actually states that it's going to run a program from the drive - if people would just learn to read then there'd be no problem. I don't think it's particularly useful to disable a convenient feature that is perfectly safe for sensible people and claim that you're making things more secure for people that are so stupid that they'll just go find a virus somewhere else anyway.
KDE has done this for quite some years also, and, like Gnome (and presumably other decent desktop managers), it's a little smarter. If you put in an SD card (or other type of storage card), USB stick, USB storage device of other kind, CD/DVD, etc., it will always give you a menu of context sensitive choices, which crucially, can't be changed by the device that has just been plugged in (Microsoft's second mistake, after default autoplay/autorun). The option to open with a limited "open in a file manager" type option, is always an option also.
How it should be!
Especially @ Tom.....
I agree, this is exactly why it still exists. That and the majority of none expert users who are unaware of Windows explorer. By pandering to these groups of users they become as bad as the malware developers themselves, a menace ot safe computing.
Even Paris, I suppose could be persuaded (with a clue by four perhaps) that leaving this functionality in Windows is tantamount to encouraging the ba*t*rds. For smart people, they make some awfully dumb decisions.
Surely even Microsoft can work out whether a USB device is writeable, and if it is, then it can't be a CD or DVD, whatever it claims. Indeed, anything claiming to be a read-only device that is writeable should be regarded by the O/S as deeply suspiscious, and grounds for suppressing any autorun that it contains.
Andin this case, something like UAC is surely justified. Whenever any USB media is plugged, have the O/S pop up a menu of options like "Explore contents With Windows Explorer (safe)", and "Execute the Auto-run code from the device (unsafe)". Never run anything off removeable media without at least one user-supplied click. Software-installation auto-runs ought also to "prove" their bona fides with digital signatures ("Signed by the XYZ corporation" rather than "Unsafe").
@the windows explorer vs "my computer" guys
Errrm, surely if you knew your pc's that well and had a half decent arranged file system you can just click start->run (even easier in Vista/7 no?) and just type in what you want?
Or can't you remember a bunch of folder names?
It's quite simple after all.
Actually someone explain to me the difference between double clicking "my computer" and clicking "folders" or pressing "windows+e". Retards.
A user doesn't care how they get there as_long_as_its_easy_for_them.
To be honest I don't care how they get there as_long_as_they_don't_have_to_call_me.
Autorun/autoplay is a good thing. It's how it is implemented that's the problem.
Autorun doesn't work on my PC anymore anyway
Autorun stopped working on my XP box a couple of months ago 'cos I think some patch killed it for "security" reasons.
A real pain, as I'm literate enough to know what's safe and what's dodgy, and it used to launch WinDVD for me when I inserted a DVD disc, instead of having to ferret about starting it manually.
And yes, I've tried re-enabling it but it just doesn't bloody work!
re: Next dump "My Computer"
"How many current Windows users know the difference between Windows Explorer and My Computer?"
I would say that zero people in the entire world know the difference between Windows Explorer and My Computer. The reason for that is simple -- there is no difference. Both of them are shortcuts to "%SystemRoot%\explorer.exe". The startup behavior is slightly different, in that My Computer starts with no explorer bar, and explorer.exe with no parameters shows "Folders" as the explorer bar. But they both run the same exact program, thus they behave in exactly the same way.
If you run "Windows Explorer", and then double-click the drive (in the main window, not in the explorer bar), it will autorun. If you select the drive in the "Folders" explorer bar, you're telling it to display the drive's contents, so it will not autorun. This is the same behavior you see when you start "My Computer" and tell it to show the "Folders" explorer bar. Neither "My Computer" nor "Windows Explorer" is safer or more dangerous than the other.
Why not just open the folder when a disk is inserted?
That's usually what I want anyway.
@ Sean Gray
You mean to tell me that you 'READ' all that guff each time you insert something? You must be a public servant. I just see icons in a window and click 'cancel'. Then go to 'My Computer' and find the drive -part of my Mac background. The average person has no time to 'read' all those words and sliders and icons being displayed. They refer to what they did before or as always and do that; whichever is quickest but that may be their undoing. If MS has to implement 'Auto...' on insertion of a drive maybe it should open 'My Computer'. Otherwise, that 'Auto...' is rubbish.
18% - That's huge!
- Product Round-up Smartwatch face off: Pebble, MetaWatch and new hi-tech timepieces
- Geek's Guide to Britain The bunker at the end of the world - in Essex
- FLABBER-JASTED: It's 'jif', NOT '.gif', says man who should know
- If you've bought DRM'd film files from Acetrax, here's the bad news
- Microsoft reveals Xbox One, the console that can read your heartbeat