Thunbnailing *is* a sort of autorun
Automatically generating thumbnails is a restricted sort of autorun - it runs an executable, possibly containing known bugs, on input files under the control of an attacker. It's therefore an unsafe thing to do by default. Unsafe, but useful.
There may be sane half-way houses. Refuse to thumbnail any removeable device. Refuse to thumbnail any NTFS oir FAT filesystem. Refuse to thumbnail any file not owned by the user. Absolutely refuse to thumbnail if the user is root.
The trouble is that most non-root users are going to open a file with a reader to see what it is, even if the system doesn't automatically thumbnail it for them. Also they can unknowingly download an attack vector off the internet without involving a removeable device. Their web-browser is probably far more of a danger!
At the end of the day, at least on Linux your user is an unprivileged account. (Also just about possible on Windows, but very many users do everything with Administrator privilege on their own PC, whereas you have to be actively perverse to do that on Linux)
- JLaw, Kate Upton exposed in celeb nude pics hack
- Google flushes out users of old browsers by serving up CLUNKY, AGED version of search
- China: You, Microsoft. Office-Windows 'compatibility'. You have 20 days to explain
- GCHQ protesters stick it to British spooks ... by drinking urine
- Twitter declines to deny JLaw tweet scrubdown after alleged iCloud NAKED PHOTOS hack