Thunbnailing *is* a sort of autorun
Automatically generating thumbnails is a restricted sort of autorun - it runs an executable, possibly containing known bugs, on input files under the control of an attacker. It's therefore an unsafe thing to do by default. Unsafe, but useful.
There may be sane half-way houses. Refuse to thumbnail any removeable device. Refuse to thumbnail any NTFS oir FAT filesystem. Refuse to thumbnail any file not owned by the user. Absolutely refuse to thumbnail if the user is root.
The trouble is that most non-root users are going to open a file with a reader to see what it is, even if the system doesn't automatically thumbnail it for them. Also they can unknowingly download an attack vector off the internet without involving a removeable device. Their web-browser is probably far more of a danger!
At the end of the day, at least on Linux your user is an unprivileged account. (Also just about possible on Windows, but very many users do everything with Administrator privilege on their own PC, whereas you have to be actively perverse to do that on Linux)
- Nokia: Read our Maps, Samsung – we're HERE for the Gear
- Ofcom will not probe lesbian lizard snog in new Dr Who series
- Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
- Too slow with that iPhone refresh, Apple: Android is GOBBLING up US mobile market
- Episode 9 BOFH: The current value of our IT ASSets? Minus eleventy-seven...