Microsoft has finally removed a function from earlier versions of its Windows operating system that has been widely abused by miscreants to surreptitiously install malware on users' computers. The feature, known as AutoRun, allows Windows machines to automatically execute certain programs - such as media players or installers - …
CD and DVD malware
I expect that they kept autorun at the request of macrovision and friends so that they can continue to protect "high value" music and video from being ripped by morons.
Even idiots know to turn off autorun or hold the shift key down.
I hate U3 autoboot software but I love the hardware it sits on.
We're Talking AutoRun Again?
Service Name: ShellHWDetection
Display Name: Shell Hardware Detection
Startup Type: Disabled
Don't be fooled by the service's name, all removable media is still detected upon insertion, it just doesn't Auto-Run or open a pop-up annoyance window . Works on XP, Vista SP 1,2 & 7 with no adverse effects... unless opening My Computer to access the media is adverse?
Why is a simple solution ignored in lieu of reg tweaks and updates and patches in every!single!disable!autorun! article that comes out on a monthly basis?
It's a start now what about...
...enabling file extensions all the time as well? Why are they hidden by default? Another blindingly stupid "default" decision.
@tuna 1: Thanks for the tip! I'll be sure to add that to the enormous long list of "crap to be disabled".
The U3 thing is annoying indeed. You can get software to remove the thing from your USB drive, search on line (e.g. Sandisk's website has a link to it in their FAQs or somewhere like that). Even for me, using Linux, the thing was slightly annoying, because it sometimes popped up a CD icon on the desktop besides the USB drive's icon. The really annoying part was when I used the drive in computers running Windows and forgot the damn U3 software was there... I had to then wait for the stupid thing to run its course.
Now, end of the AutoRun altogether is not a bad thing at all, really. Although the pop up window asking what to do (run this, do that, ignore) seems fine to me. Besides the occasional annoyance, is there any other problem with that, from a security stand point?
Autorun or AutoPlay?
"On Friday, Microsoft announced the availability of updates to the XP, Server 2003, Vista and Server 2008 versions of Windows that removes the AutoRun popup window when some types of removable media is connected. The change doesn't affect optical media such as CDs and DVDs, a shortcoming we'll get to in a moment."
What are we talking about -- Autorun or AutoPlay? People use the two terms interchangeably, but there is a difference. Autorun, as the name implies, instructs Windows to execute (run) a certain application. Said instruction is stored in the autorun.inf file. AutoPlay is the mechanism which detects the type of media and its content, and displays a list of potential applications for viewing such content. The above quote sounds like it's really talking about AutoPlay rather than Autorun. Autorun does not display a popup window, it just runs whatever the autorun.inf file tells it to.
"Don't be fooled by the service's name, all removable media is still detected upon insertion, it just doesn't Auto-Run or open a pop-up annoyance window . Works on XP, Vista SP 1,2 & 7 with no adverse effects... unless opening My Computer to access the media is adverse?"
I wouldn't be so quick to make that statement. I had disabled that service a while back for this very reason, but I had to re-enable it because something wasn't working properly. Unfortunately, I don't remember what the issue was, but I do remember that it did have adverse effects, leading me to re-enable the service and use the registry modifications instead.
Two years ago I helped run a conference, with three parallel tracks. All the presentations for each session were pre-loaded onto memory sticks, updated during the break between each session. The U3 junk meant an extra delay each time a stick was inserted in one of the (Windows) laptops the presenters were using; fortunately, the Macs being used to load the data were unaffected. For the second conference, I made sure to buy the memory sticks myself - double-checking there was no U3 infestation anywhere in sight. Of course, there was no time to find or apply registry tweaks or anything else to hack around this irritation (although ISTR holding down shift avoided it, if I got the timing right).
The fail, of course, is that it took MS this long to apply a fix: far, FAR too many virus-laden Windows machines out there pumping spam, 419 scams etc thanks to design faults like this.
Well wtf is everyone doing plugging-in or inserting 'unknown' content into their USB/CD/DVD drives?
Other than the few retail apps that I have bought/buy, I never plug in unknown content.
This is like surfing to unknown sites.
Better late than never eh?
Of course this happens *after* we spend the entire 6 weeks holiday rebuilding our network, only to have viruses discovered 1 day into the new term when about 300 of the little 'darlings' plug in their memory sticks, all seemingly infested with autorun-style viruses (luckily the AV caught most of them).
I hope I meet a virus writer one day, so I can smash his head into something hard =)
If U3 misreports the device type any security issues are U3's problem, not Microsoft's.
Microsoft has done the right thing by removing autoplay from writable media, while leaving the convenience of autoplay for read-only media.
About time... my Linux desktop doesn't have any autoplay vulnerabilities. I for one welcome our new penguin overlords.
So no Sony CDs from HMV, or DVDs that might have ripgard on them or MP3 players, LCD Photo frames, GPS that have come pre-infested from the factory? At least you can still plug a mouse into your computer.
About bloody time, and too little too late.
The entire autostart/autorun thing struck me as a huge security risk when it was first offered (officially) with Windows95. As everybody knows these days, my fears were vindicated within weeks when the first strains of malware used that "feature" (no, MS said, it's NOT a bug...) to procreate.
So 14 years after the fact, MS finally admit that there just might be a bit of a security risk in there... one that the insufferable security "warnings" of the MS "Security Center" built into some versions of XP, all of Vista and W7 never even squawked about. *sheesh!*
OK, they never told the user to get rid of ActiveX either, which is at least as dangerous. (Got mail? Click here to auto-install the latest version of our botnet client...).
All in all, I am reminded of a few of the reasons I had for choosing to stick with so-called "alternative" operating systems. I first experienced XP about five years after it came out, and even after all of my preconceptions I was shocked. The OS assumed that the user had to be reminded of the fact that he/she just put a disc in the optical drive? How pathetic is that? (and I do realize that both Ubuntu and SuSE have, unfortunately, followed suit. When will they realize that most of their customer base does not suffer from Alzheimer's and is perfectly capable of double-clicking the drive icon on their desktop to access the data? And no, I am not being unfeeling here; my own grandmother was an Alzheimer's victim but even she was mentally fit enough not to need the OS to tell her what she just did five seconds ago.
Gimme the coat with the list of pubs in its pocket. Hopefully, by the end of the evening, I won't remember I put a DVD in the drive.
@Tom 35 22:19
"CDs and DVDs" - that's what a CD/DVD Player connecteds to your TV is for.
"...pre-infested from the factory" - if that's the case, the installer or application itself may have a trojan, so installing it whether it autoplay's-or-not is irrelevant, you're infected anyway.
Haphazardly plugging anything into your PC is no different than haphazardly surfing any web site.
People are learning [usually the hard way] to take precautions when surfing. The same should be done with any other "new" content regardless of where it comes from or how you get it onto your PC.
Blaming MS for the issue [in that autoplay should be removed] when it is ultimately the responsibility of the end-user, is typical "protect me from myself" idiocy.
Doesn't a U3 device appear as two disks, with only the part containing the U3 software appearing as a CD (and isn't that part read-only and thus won't be carrying malware anyway?)? Correct me if I'm wrong.
Anyway, now we just need something to block U2 albums...
Remember the Maine, er, Mac...
Didn't we first see this "attack" back in the early days of Macintosh, where malware was loaded into the resource fork of the Mac file header (or what ever it was back then)? And didn't Apple fix the problem very, very early on...so early on that this has become know ONLY as a Windows problem thereafter?
Sometimes it just takes a Global Village of idiots...
Ok I actually like the U3 software for the password lock you can have but I cant get the damn thing working on the schools computers here not because of any security on the systems it just wont bloody run. Grrrrr......
"Well wtf is everyone doing plugging-in or inserting 'unknown' content into their USB/CD/DVD drives?"
Its not just about sticking unknown content into your USB drive. I often have to stick my SB memory stick into someone elses computer to use cleanup tools. Just a few times I have had the spyware/malware that I was trying to clean out silently install software onto the USB stick. Then the USB stick, once inserted into another computer, autoruns and infects it with spyware/malware. The infection uses the autorun feature to help spread, therefore the autorun feature is just another infection vector.
Of course having said that I have had people call me up to complain that thier CD drive isn't working and when I get there I find it is working perfectly. When I ask them why they think it isn't working they shove a disk in and wait and then say, "see, nothing happens!" So no autorun or autoplay pops up and they think its broken! Oh dear. I can see it now, dozens of complaints that their disks aren't working because they don't know how to select the CD/DVD drive and click "setup". That's what you get from raising a generation of people on windows!
@Dave29: No problem, I wish all MS end-users learned from the get go to navigate to the device instead of the nag pop-ups/auto-plays.
@Chris C: My interest is piqued, I'd like to know what the problem was and how re-enabling SHD resolved the issue. I have been disabling this service(amongst others) on all my & my clients' MS OS's for 2 or 3 years w/ no adverse effects(personal and enterprise). I have found nothing of note Googling, except the vulnerabilities associated w/ keeping it enabled and DVD drives may be labeled as a CD drive in My Computer.
AutoPlay only introduces a RISK if a user clicks on an icon that they don't understand. Period.
Taking this away from those of us who think isn't right.
About bloody time Microsoft removes an obvious security problem/annoyance from Windows. Happens ever-so-rarely, though.
"'CDs and DVDs' - that's what a CD/DVD Player connecteds to your TV is for."
You don't "rip" your CDs onto your computer? Well, most of us do. I have well over 1000 CDs. I like having them all encoded on my computer so that I don't have to continuously pop one disc out and another disc in. Not only is it much more convenient, but it also massively reduces the damage done to the discs. I also like being able to listen to my music in my office without having to purchase an additional stereo and sound system. That doesn't even get into the issue of data CDs, multimedia/"enhanced" CDs, etc.
"'...pre-infested from the factory' - if that's the case, the installer or application itself may have a trojan, so installing it whether it autoplay's-or-not is irrelevant, you're infected anyway."
I believe what the original poster was referring to was the multitude of instances in which USB storage devices and media players had been infected at the factory (in other words, devices which should not contain executable content in the first place).
"Haphazardly plugging anything into your PC is no different than haphazardly surfing any web site. People are learning [usually the hard way] to take precautions when surfing. The same should be done with any other 'new' content regardless of where it comes from or how you get it onto your PC."
Actually, most of us browse previously-"unknown" websites literally every day. On top of that, every single visit is a gamble. The fact that a site or page did not contain malicious code during your last visit says literally nothing about your next visit, especially with the prevalence of third-party, dynamically-generated content such as banners and ads.
As for "haphazardly plugging anything into your PC", you're telling me that I should not plug a USB flash drive into my system unless I know what's on it. Fair enough. So how do I determine what's on it without plugging it in?
@fastoy re: AutoPlay
"AutoPlay only introduces a RISK if a user clicks on an icon that they don't understand. Period... Taking this away from those of us who think isn't right."
Most of us find AutoPlay to be one of the most annoying things Microsoft could have done, and we're happy about having the option to disable it. If you want to keep AutoPlay enabled, there's a simple solution for you -- don't install the update. See how easy that was?
There'd better be a way to re-enable this feature or a well labelled update which removes it.
Some of us ONLY insert camera memory cards, Blu-Ray films and audio CDs into our machines.
Auto-play is one of the nicer features of windows, just because there is a vociferous group who cannot be bothered to hold shift when inserting something dodgy why make the rest of us suffer?
Oh and I like Vista too.
Disabling autorun is fine, but did they ever do anything about the fact that when you doubleclick on the drive icon from explorer, windows _still parses the bloody autorun.inf_ which allows redefining what "doubleclick" does.
Disabling that feature on XP ws rather complicated too.
Now when is Steve gonna do the same for OSX? Absolutely stupid to have anything on any O/S autorun on media insertion!
U3.. I hate them with a passion
Why is it that when you simply plug one of these things in it creates folders and registry entries all over the place.
If its on a USB Stick it should be a true portable app.
A little bit late...
Didn't this horse bolt in, like, 1996? Next up from Microsoft, servicing your Austin Allegro...
All you have to do to get around this is hack the memory stick to present itself as a CD drive to the OS? Or is that not possible on a regular (non U3) device?
Only A Matter Of Time Then,
... till malware starts to exploit XP's built-in disc burning engine so a virus writes itself to CD/DVD thus enabling it to continue Autorun(ning).
Now when I ran this patch on an XP box, why the heck did it need to spin up the half dozen sleeping hard drives instead of just writing the bloody files to the windows partition on the already awake drive? They really don't know how to do anything conservatively I suppose.
On a related note, I suppose we can forecast that they'll finally iron out all the major Win7 issues within the same period we waited for this fix *from them*, around 2016?
How Simple Can It Be???
For XP Pro, create a .reg file with this line:
You can then create an "undo" .reg file that simply removes this entry from the registry.
For XP Home use TweakUI
That's your fault for not scanning your USB stick after plugging it in. Has it occurred to you that the infection could be spread to executables on the USB stick instead of using Autorun? If you're negligent enough to grab media from an infected PC and assume it's safe to plug it into someone else's PC it's your own fault when it goes tits up, nothing to do with Autorun. If you're really that adverse to it, hold down shift.
So how many people do you think have writable CDs/DVDs sitting in their drive at time of infection?
The bad guys cry........
"see, nothing happens"
I had a devil of a time* trying to put across to someone at work that just because there was an autorun.inf on the memory sticks (for distribution to likely customers) to run the presentation it didn't mean that they would all run because you couldn't predict the different autorun settings.
And it was also possibly a reason why they didn't test out on different machines at work**
*In fact I gave up.
**turned out some of these (very cheap) sticks were broken and we should have had the supplier load the presentation (but then noone asked my opinion )
Don't disable autorun! My "install linux as soon as dropped in drive" disk will stop working
I've disabled autorun using the IniFileSettings registry patch, as the other ones seem to have too many gotchas, like device types not covered or the possibility of your setting being overriden by some other registry value that somehow takes precedence.
This one tells the OS, if you ever feel like loading AUTORUN.INF, look at this bit of the registry instead, where you'll find nothing. Nothing is what I want you to see when looking for AUTORUN.
You lose the benign icons and names, but I can live with that. I'd much rather that Windows treated all executables on removable devices (including CDs) like they were downloaded files, so you get the "are you sure" message and signature check.
MS can't win either way. Damned if they do, damned if they don't.
I actually think AutoRun was a good idea, but not in the form it's implemented. It needs sandboxing.
@ Dave 129:
Completely agree with you about the file extensions being hidden by default, it's a really stupid idea. Really really stupid. Showing them doesn't really hurt the users, but not showing them can them badly. It's one of the first things I change on a Windows install.
The vociferous group is actually the one that understands the security risks. You do not appear to. We are usually the ones who are also aware that the obvious vulnerabilities in AutoRun are spreading viruses and malware, which affect EVERYONE who uses the net.
Let's say you are out with some friends, and you take some nice pics on your DSLR. Your friends say they would like to have a copy of the photos - and just for the sake of convenience, you pop your CompactFlash card in the card reader on their PC, so you can copy the pics over directly, rather than faffing around later and sending them a DVD in the post. Within a second or so, and without your knowledge, you now have a virus on your CompactFlash card, which, after you finish copying the pics from, you duly take home and pop in your PC to transfer the files from. Bang! You get infected, and your PC is now yet another hub in the spam network dedicated to marketing penis extensions to my mother.
I'm all for AutoRun opening up the media root folder *and* *that's* *it* - but this funny shit where any executable could be run without user approval - on any form of removable media, needs, I'm afraid, to be dragged out and shot in the head. Now. This patch is A Good Thing.
@How Simple Can It Be???
And some people like to say that Linux is hard...
Oh, yeah, and the hiding of the extensions by default is pure evil too.
Users unwilling to learn
It's switch off on my Wife's computer. She is an unwilling novice, and a bit of a luddite as well. She does not remember what I tell her about computers from one day to the next, mainly because she just doesn't care.
All I hear from her is "I've put my CD in the drive, and it's not working" when she puts one of her craft CD's in the system.
God knows how many times I've told her, but the instructions on the CD cover tell her that it will autorun, and she trusts that more than she trusts me. It's driving me crazy.
This type of software is written for people who will never care about how computers work, and uses every trick in the book (and some daft ones as well) to try to make sure that the computer is just an applience. I can't even install the software on the hard disk, because the STUPID and SIMPLISTIC copy protection system KNOWS that it will ALWAYS run from drive D, and has hard coded-paths scattered throughout the software. Of course, nobody partitions their hard disks, do they!
After reading Olli Mannisto's post, I realize I may have mis-spoke. It was a while ago, so I don't really remember, but I do vaguely recall thanks to Olli's post. I think my issue was not really an issue, but more of an incredible annoyance. I think it was that disabling the shell hardware detection service prevented Windows from automatically executing autorun.inf upon insertion, but Windows still executed it when I double-clicked the drive in My Computer, Explorer, etc (whereas the NoDriveType and HonorAutorunSetting registry entries in KB967715 stopped execution in both instances). I'm nearly positive that's what my issue was. Sorry for the confusion.
- Product Round-up Smartwatch face off: Pebble, MetaWatch and new hi-tech timepieces
- Geek's Guide to Britain The bunker at the end of the world - in Essex
- FLABBER-JASTED: It's 'jif', NOT '.gif', says man who should know
- If you've bought DRM'd film files from Acetrax, here's the bad news
- Microsoft reveals Xbox One, the console that can read your heartbeat