Autorun attacks from CD
"..Microsoft has yet to see in-the-wild attacks that exploit Autorun on “shiny media.”..."
Err, Sony DRM?
After a decade of abuse, Autorun is finally being retired in older versions of Windows. On Tuesday, Microsoft began pushing an update that changes the way Windows Server 2008 and earlier versions of the OS respond when USB thumb drives and other portable media are plugged in. Until now, those versions dutifully executed code …
"..Microsoft has yet to see in-the-wild attacks that exploit Autorun on “shiny media.”..."
Err, Sony DRM?
mentioned by Microsoft who did not want autorun to be removed. Geddit ?
But apart from the Sony DRM, other rootkits, annoying pop ups, trojans, viruses, spyware and generally running stuff we don't want, what have the autoruns ever done to us?
It is not enough to have Autorun turned off by default. There must be no possibility of it being re-activated, not even by tweaking the registry. In other words, total excision of Autorun.
People who know what they are doing may have good reasons to use autorun, better that it is hidden away as a registry setting that only those who need it can use.
Even after setting NoDriveTypeAutoRun to 0xFF I've had it mysteriously come back on.
This page: http://windowssecrets.com/comp/071108#story1
documents a useful additional piece of protection, which if autorun does manage to launch, redirects it to perform a useless action instead of executing the commands in autorun.inf. I tested this idea with autorun ON and some simulated malware on removeable media, and it does seem to protect the computer.
Why would such people have any need for Autorun in the first place?
Puzzled by thumbsdowns.
Does anyone know what the hell use it ever was?
It was so users did'nt have to click on the CD drive icon on their desktops to start a program on the disc
I've seen quite a few CDs that launch via autorun Adobe Reader or Macromedia products (now Adobe) that are included on the disc to pull up an index or menu of documents contained on the CD... it's done for those people not smart enough (or perhaps too lazy) to be to open the CD manually and then the appropriate application or document file themselves...of course it seemed like a good idea at the time it was developed to have this functionality but we all know the problems that it has led to years later...
It was for software and driver developers so that they could pop up a useless resource hogging animated thing with sound and crap as soon as you plugged in a CD. Doesn't matter that all anybody ever did was click on the "Install the damn software" button, which could've been much easier if they'd just included on the box:
1) Insert CD
2) Browse to CD in Explorer
3) Double-click on setup.exe
Instead, a lot of them seemed to put more effort and energy into their flashy autorun screens than they did in their software.
"2) Browse to CD in Explorer"
some people today still have problems with this step....
I have lost count how many times i have hat to tell people, "hold down the key with the windows logo on it and press E... blah blah blah"
"it's done for those people not smart enough (or perhaps too lazy) to be to open the CD manually and then the appropriate application or document file themselves"
Sounds like the entire of Windows 7
"of course it seemed like a good idea at the time it was developed to have this functionality but we all know the problems that it has led to years later.."
We'll see (or rather in W7 we won't see as it keeps everything as hidden as possible)
to kick off a software installer. Even people like PCW used to use it for their cover-mounted CD and DVD's.
I've installed a recent HP printer, and it used autorun (the installation instructions did document how to run it without auto run, but it was phrased like "If the installer program doesn't automatically start, open the CD, and .....").
My significant other (worded to attempt to not to upset the Moderatorix) has some craft software that needs the CD inserted explicitly in the D: drive (and heaven forbid if your CD is not the D: drive), and the instructions for this expect autorun to work, and do not contain an alternative. I keep explaining this, and she keeps telling me that her computer is broken because the software does not start. Grrrrrrrr.
I think too many of the people commenting here are in the Windows support business, where they are in control of any software installation, and do not talk to home and SOHO businesses where simplicity and hand-holding is essential for people who just use computers as tools.
I can't be so old that this has passed out of memory, can I?
Changing the name of the file browser from File Manager to Explorer didn't help much.
Me: Start Explorer
User starts Internet Explorer
> Instead, a lot of them seemed to put more effort and energy into
> their flashy autorun screens than they did in their software.
There's a reason they (proprietary software makers) do that, making the sure the user does not gain empowerment.
If the user had to follow the same simple steps to do something then they might gain understanding of the computer. If the users have to deal with different things to achieve the same ends, or face interfaces that look different with similar products, then the users are much less likely to gain an understanding of the system. And when someone does not have understanding but has to use a system, they become dependent on third parties to progress on that system. And that is where industry steps in, to "monetize" the people's needs.
The software industry is also mature enough that it recognises this, and so very few (if any) proprietary products dare try to empower the user. They dazzle with shiny-shiny, and let the user think they have witnessed some magic.
Actually providing what the user might really need, empowerment, is not going to be forthcoming from proprietary software vendors (and to a lesser degree some Free software, the stuff that copies proprietary paradigms, like dumbing shit down to chase the mass-market (eg Firefox)).
A parallel to this is the times tables. I'm sure you can imagine how a person could learn their times tables by rote, yet still not understand the principles behind multiplication. That person would be fine with multiplication right up until the point where they need to work out more than 12x12. To do more, they need third party help, a calculator.
But a person who understands multiplication does not need the services of a calculator company, they can work it out in their head, or on paper. Proprietary software gets in the way of people's understanding of computers, and that lack of understanding is used to sell software. And software that varies little between versions, and is basically the same stuff re-heated with a few extras slung in.
That is why so much effort is spent on the autorun BS.
Like the Sony root kit?
I guess that falls under "resistance from some partners who rely on the feature to install programs".
And a healthy "fuck you" to everyone who ever manufactured a piece of hardware that installs its drivers via Autorun.
"Microsoft didn't retire Autorun sooner was the resistance from some partners who rely on the feature to install programs that accompany their hardware"
So, basically, some dumb bozos who can't be bothered to do things in a safe manner got us years of malware crud? And the rest of M$'s customers got ignored?
What this reminds me of is how long it took M$ to turn off auto-running code in Outlook. IIRC they said something like "our users benefit from this integration". Finally turned it off after years of aggravation and after it was obvious to world and dog that this approach was an oft-repeated accident that had happened again and again. Prior to that, users also had to tinker with the settings to turn it off.
Come on guys. I know you won't get everyone to love you. But the least you can do is pay some attention when obvious security risks come to light and lock things down rather than pretend all is well.
BTW, U3 blows too, regardless of it being a security risk or not.
That finally made Microsoft do something.
I'll never forgive them for Outlook Express.
Penguin. Because they hate HTML email too.
I took great pleasure, whenever I removed U3 from a stick, in filling in the box which asked why.
is autorun renamed to something different in windows 7 cos it is still happily working for me (64 bit home premium).
Steen Hive - it opens up the explorer window when the device is ready, saves me having to go start, my computer. i also use autorun for having custom icons for my partitions (i have 5). it was nice to do this for usb sticks too. always seemed to impress people at internet cafes etc (yeah i know being cute for no reason haha).
security essentials has picked up any bad versions of autorun so far for me (e.g. copying files to friend's usb sticks or wiping mine having used it outside)
don't autorun anything, they do still pop up a dialog asking you what you want to do though, with autorun.inf entries at the top. It's how it should have worked from the start, a kind of halfway house catering for the people who are too lazy/stupid to browse to the files on their own, but without the security issues of autorunning anything.
And they said /etc/asterisk/extensions.conf was hard to understand.
"And they said /etc/asterisk/extensions.conf was hard to understand."
depends who wrote it and how old it was... :P
That's AutoPlay. The difference between AutoRun and AutoPlay is that AutoRun just blindly went off and ran whatever EXE the autorun.inf file told it to run.
Whereas AutoPlay looks at the content of the CD/DVD and then pops up a menu presenting you with some options (eg. view the pictures on this CD) and asking you what you want to do next.
AutoPlay solves the problem of people who don't know how to go browse the contents of a CD and find the setup.exe file vs those who don't want some virus riddled exe to startup as soon as they pop the disk in the drive.
I don't think saying SONY in big bold letters is large enough yet, so yet another who's going to say it.
Anything legal ever happen in regards to that? cause seriously ....
Sony got beaten with a disintegratingly wet noodle. If you or I had done it we'd be in jail but it was a company doing it so ....
The obvious solution is to have Windows show a dialog box: "You have inserted a CD / DVD / USB stick. Do you want to run the setup program? (This may make changes to your computer)"
For bona fide application or game install discs, the user would pick yes; otherwise no.
As it stands, when I plug in my digital camera I get the default Windows prompt asking me if I want to run a particular application with it. Seems simple enough.
You made a logical assessment of what should happen. That was your first mistake.
In reality.. Popup window comes up and user clicks OK. Clicking OK is how one closes a popup. The most dire warnings get put through a mental filter and come out as "Click OK to close this nasty scary popup".
Reading popups is dangerous. It must be avoided at all costs. Because if you have read the popup, you might be responsible for what happens next. Then you can't tell your computer repair serf that you don't know what happened. And picking that MP3 player or USB stick up off the street couldn't possibly have wrecked the work network... could it?
There are two camps of non techie users that I know of.
Ignorant: I don't know, and I don't care
These people just click yes to everything and cause a friend / relation many hours of grief trying to clean up their system
Ignorant, but scared: OMG! What has popped up on the screen, the world is going to end
These people generally have clean computers, if only because they never get turned on. These people cause friends / relations hours of grief as everything they need to do online is done over the phone, with said person giving information and the friend / relation filling in the form
(Yes I am bitter at wasting my time)
But I think that it means anything that a techie thinks is a good solution is likely to fail at the first hurdle for a real user. I am including my own solutions to regular problems here (how hard can it be to teach someone to press two buttons? Very aparently.)
So if you use your pop up window I think it would just be people not clicking on it ever, or clicking on it regardless. The biggest security threat to a computer is the person sitting behind it...
..most of mine sit in front of the computers, not behind them :-)
I think that are interchangable, but I do hear lots of people complain that their partners spend all night behind the computer...
I can just go for PEBAK if you want?
And really, you had to be annonymous for that comment! Coward :)
IIRC there was a USB based file transfer gadget (2 USB cables with some sort of box-of-hostmode-tricks in the middle, or a fancy pants null modem cable if you prefer) that had it's drivers embedded in the device so that plugging it in to a computer would fire up the transfer software with no need to install anything. This thing was marketed through infomercials to the computer illiterate as an easy means of shifting data from their desktop to their laptop etc.
I know this all sounds pretty idiotic to us reg readers, but to the computer illiterate (and their tech savvy children / grandchildren) the "plug it in and it works" functionality was a pretty useful feature. That said, having the OS execute any old code if happens to find on a USB device just because you plugged it in is and always will be a fucking stupid idea.
> Adam Shostack, a program manager for Microsoft's
> Trustworthy Computing group, said here that Microsoft
> has yet to see in-the-wild attacks that exploit Autorun
> on “shiny media.”
Apart from the obvious Sony rootkit, I remember seeing a download years ago that used autorun to bypass the screensaver on windows 95. If the screensaver was password protected, you could pop in a CD, it would autorun, switching off the screensaver's password and allowing the attacker to get to a desktop that was meant to be inaccessible
Yes, I know, 9x, no real security. But it is still an attack that used autorun on shiny media. Your sweeping PR statements are no match for my memory, Shostack!
In Windows 9x you could just click cancel on the password screen to get past.
Not so - you could click Cancel on the Windows Login screen to get logged in as the previous user, but not so on the Screensaver password prompt - clicking Cancel there just went back into the screensaver.
Viewpoint Media Player is a very viral dvd player that comes packed onto loads of DVD movies, and it installs itself without asking.
I have seen XP come to a crawl just because of this stupid thing, not on my XP build tho, i disabled those Security flaws for my customers over 2 years ago. I get the occasional person I have to explain to double click on my computer. Apart from that and ofc the stupid 3g sticks and their stupid modeswitch.
I wouldn't mind, it's just another of the 500 to 1000+ registry entries that are wrong by default. How else are the MCP's going to make any money? ::)
Who still runs Windows Update on 95, 98, Me, 2000 or NT? Or for that matter, who still uses them?
A depressingly large number, I'm afraid.
However, while I still use XP and 2000, it is a VM on Linux now, and I generally disable networking and USB access wherever I can, in addition to having turned off autorun on ALL drives by the registry tricks.
Really, as already said in these posts, autorun was a dumb idea in the first place and only sustained by those who cared not two hoots about security and freedom from crud ware.
I'm pretty sure whoever is using them, isn't going to do any updates!
I've got a Win 98 box still running, for my old games. It's going nowhere until X-Wing or Tie Fighter get remade properly.
Paris, because she's good for old games too, allegedly.
As I recall I don't think it took registry fiddling or running fixes to turn AR off. You just had to know where to look.
Microsoft's Trustworthy Computing group !
Apple still enable auto run on the Mac. They don't even have a temp disable key - hold down the shift key - like windows did.
What are you smoking? There's no auto-run on OS X. The disk gets mounted, but that is all.
"Adding the change to the official Windows Update mechanism means millions of users will turn it off automatically."
Not so. There were 10 updates for Vista yesterday and only 9 of them were automatic. Guess which one wasn't!
Closing the stable door after the horse has bolted, got out into the sheep field and scared them all, been captured, returned to the stables, had a long and productive working life in a variety of capacities, spent a short retirement giving children rides before being carted off to the glue factory, shot in the head with a bolt, boiled down, made into glue and sold in newsagents up and down the land.