back to article Microsoft aims 'non-security' update at gaping security hole

Microsoft is delivering a Windows software update designed to quash once and for all the difficulty of disabling Autorun, a feature that allows the spread of malware through CDs, USB, and other removable media. The update fixes an unspecified issue that prevents the NoDriveTypeAutoRun registry key from working as expected, …

COMMENTS

This topic is closed for new posts.
  1. Gabriel Vistica
    Gates Horns

    HUH?!

    "In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security."

    Doesn't that fit the definition of "security update"?!

  2. Anonymous Coward
    Flame

    You give them too much credit

    "Autorun's convenience has long been offset by the risk it poses"

    A ridiculous statement. It was insecure by design, should never have happened, was impossible to turn off, and Microsoft deserves every bit of shit they get for this. In fact, I believe they should be held civilly if not criminally liable.

  3. Pierre
    Gates Halo

    OK, now we're talking

    That's a step in the right direction. At very very very long last. Though it's kinda related to security, it's not really a security update per se. More like a patch on some incredibly bad code, introducing the ability to actually do what it said on the box you could do (disabling autorun).

    Saint Gates, just because MS surprisingly did something not completely stupid this time (well, if it works).

  4. Steve Loughran
    Flame

    Autorun has sucked since 1995

    Brent is right.

    Autorun has been criticised in the "Risks Digest" Mailing list since May 1995. Search for "RISKS in Microsoft's Windows95" or go to http://catless.ncl.ac.uk/Risks/17.13.html#subj8 for details

    That is -experts have been denouncing Autorun since before Win95 shipped. Since then: Win95SOR2, Win98, WinNT4, Windows 2000, Windows ME, Windows XP, Windows Server 2003, Windows Vista, plus various variants. All with autorun enabled out the box.

    This makes it effectively the longest standing security hole in Windows. Because ActiveX didn't come out until IE3

  5. Anonymous Coward
    Alien

    @Brent

    "[autorun]...impossible to turn off" - huh? what about that "auto play" in the control panel? doesn't that do it? or is that some kind of trick? mind, wouldn't put it past them, sneaky lizard folk bastards

    (green dude: not lizard folk)

  6. vincent himpe

    @BRENT GARDNER

    So according to you its a crime to try to make computers more user friendly and easier to use.

    - If you pop a dvd in your player you'd expect it to start playing.

    - if you pop a music cd in the audio system you'd expect it to satrt playing.

    - if you remeber old tapedecks in car radios : pop in the tape and they start playing.

    so why should a computer be different ?

  7. kain preacher

    @ Brent Gardner

    Explain how they would be criminally liable ?

  8. Anonymous Coward
    Linux

    Something unusually odd here, even for MS

    What date was it yesterday?

    Was it Patch Tuesday? No (but it was Pancake Tuesday, mmm).

    So why were some (but not all) of the Window boxes at home and in the office downloading and installing the "not a security fix" security fix for KB967715 (ie the one referenced in the article)?

  9. Stephen Sherry
    Coat

    In case anyone is using a version the directions MS gives don't work...

    Such as my Windows Vista Home Edition x86-64 OEM I just installed a day and a half ago;

    after applying the patch and noticing nothing else in the instructions work, just go to help and search for autorun, one of the options shows a link to open autorun features (and that's from the help program, not the search box). There's a check box right at the top to turn it all off. Or you can go through the effort and select what you want to do with each media item. But due to the security issue with ANY device loading something from autorun, it's probably best to just turn it off.

    Apparently they must have sent out some patch that made the process of turning it off a little easier after installing the Windows6.0-KB950582-x64 patch.

    Hope this helps those few of you who found the fix directions went no where ;-P

  10. Mike Bronze badge

    autorun

    Autorun for CD/DVDs is a good idea, the convenience of it allows users to just shove a CD in the drive and have it come up with a program specific welcome menu with options to install/run/whatever, just like you expect your DVD player to do when you put a DVD in - and let's face it malware trying to spread by piggybacking on CDs you burn isn't going to be very effective (hence there not being any malware problems with it)

    Autorun for USB sticks and network drives etc... now that's a different matter, theses types of media are mainly used for file storage, you want to use them you browse the contents and select the file you want via whatever method, the potential security problems with automatically running programs from a drive that was designed to be written to by many potentially infected systems - what were they thinking???

    A better idea would be to send out an update that disables autorun for non-optical drives (ie. anything except a CD/DVD drive), as well as fixing any issues with the options to disable autorun on optical drives. The few legitimate reasons i've seen for autorun on a USB stick actually normally use modified USB sticks which present a virtual CDROM drive anyway for the autorun part, so this idea wouldn't even break those, it would just restrict autorun to only working on devices that are actually meant to run software

    personally i have autorun disabled for practical reasons (if I put a CD in i might want to access it from any of the VMs i have... and i know how to make it autorun if i want to anyway), however for the average user who thinks the internet is the blue icon autorun is a very useful feature

    Good idea, bad implimentation

    (for those who think autorun from a CD is a bad idea... did you know that these days you can actually boot an entire operating system from one? that's autorun taken to the extreme! i doubt you still use floppies to bootstrap your OS install CDs "for security" though)

  11. wayne
    Stop

    CD player is not a programmable machine

    Comparing a computer to a CD player or a tape player is absurd. Those players are read only, they cannot be harmed by software on the media.

    I connected my last USB drive purchased to linux first and renamed all of the .exe files and the autorun files and folder before connecting to Windows.

  12. Neoc
    Stop

    Replies

    @kain preacher 22:24 GMT: "Explain how they would be criminally liable ?"

    Don't know about the UK, but in the US if you are aware your product has a flaw and you ignore it, and that flaw causes a criminal act, *you* can be held "criminally negligent" (ie, car-maker knows car model has brake problems, doesn't fix it, person dies in car accident when brakes fail due to problem, company is held "criminally negligent")

    If virus-passing is a crime in the US (I believe it is, but IANAL) then companies which wilfully ignore vectors *can* be held "criminally negligent".

    @vincent himpe 22:22 GMT: "So according to you its a crime to try to make computers more user friendly and easier to use."

    Your examples are comparing pears and oranges (I do not mention the other fruit in case I inadvertently start a flamewar ^_^ ) Each of your example uses a device which has one purpose, and one purpose only. They are also not intended to be able to modify other equipment's behaviour except via very narrow and rigid guidelines.

    A computer, on the other hand, is a truly multi-purpose device which does more than play music. It also interacts with a multitude of other multi-purpose devices via guidelines intended to be wide and flexible. And that communication design feature means the death-knell for that "user convenience" you so espouse. Security *has* to occur at some point - either at the communication or at the data-entry end. A system which is open *everywhere* is insecure by definition.

    So if you want the convenience of playing a movie or music as soon as you pop the tape/CD/DVD in, stock with devices with secure communication. If you want a device with wide and extensive communication, expect it to challenge the stuff you plug into it.

    @Mike 22:44 GMT: "(for those who think autorun from a CD is a bad idea... did you know that these days you can actually boot an entire operating system from one? that's autorun taken to the extreme! i doubt you still use floppies to bootstrap your OS install CDs "for security" though)"

    I disable autorun and *still* manage to boot my machine from an install CD. Why? Because the former is the province of the OS, and the later of the BIOS. Please do not confuse the two. Anyone trying to "boot" while in an OS should really think about that they are doing. And if they *really* want to do it, then trigger the boot software manually - it's not that hard.

  13. Mr Blonde
    Coat

    Silly Billy

    AutoMount is sexy.

    AutoRun is not.

    This began as verse,

    - for better or worse.

    The tail is now held by a Bot.

  14. Tom

    @ vincent himpe

    There is a big difference between automatically opening your audio player of choice and playing a CD and automatically running what ever program happens to be on a drive.

    Along with auto-run, auto hide file extensions should die, Active X is just an easy way to get developers to create IE only web sites, too bad half of them create holes in users systems.

  15. dreamingspire

    Needs a configuration tool

    For most SMEs and for personal users, this fix needs a tool to first analyse their system's Autorun function and patch status, and then guide them through the process of configuring Autorun. As a friend (a teacher) put it to me last week: I just want a system that I can use. But her daughter would be able to use a configuration tool.

  16. Anonymous Coward
    Anonymous Coward

    Autorun is not the problem

    the problem is people seeing two icons on the list saying "click here to open files" and not realising something is wrong, even with autorun turned off if someone double clicks the program they will see this and still click.

    So everyone having a go at ms for the "insecure" autorun, seriously get a life

    idiots

    Oh and to ...

    "Don't know about the UK, but in the US if you are aware your product has a flaw and you ignore it, and that flaw causes a criminal act, *you* can be held "criminally negligent" (ie, car-maker knows car model has brake problems, doesn't fix it, person dies in car accident when brakes fail due to problem, company is held "criminally negligent")"

    go read the eula instead of spouting off, unless your saying that autorun being enabled is teh same sort of thing as failing car brakes killing people,in which case go see a doctor for a bad bad case of stupidity.

  17. Steve Loughran

    Read the CERT alert

    For everyone saying "what's wrong with turning autorun off" , the CERT alert discussed how even if you think it's turned off, you can still run autorun code -their short term fix was turn off autorun.inf parsing.

    For anyone who says "what's wrong with the OS playing a disk the way you insert a CD into your player", CD and DVD players don't have to worry about malware running keystroke loggers to get your bank account details.

    OS Installation from boot can be switched off in the (password protectable) BIOS; if you encrypt your HDD a maliciouslly installed OS can't actually see your secret files.

  18. Andrew Penfold
    Alert

    won't prevent usb-stick viruses

    ...since they tend to use autorun.inf to re-define the default command for the drive, so that double-clicking doesn't open the root folder, but instead executes the malicious payload.

    Even with auto-run disabled, windows still parses autorun.inf. So we still need the registry 'fix' here:

    http://autorun.synthasite.com/

    or here:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]

    @="@SYS:DoesNotExist"

  19. Anonymous Coward
    Anonymous Coward

    It's worth remembering

    That autorun no longer automatically runs anything - it pops up a dialogue box which lets you decide what to do. The main risk of autorun has been stopped by that.

  20. Kyle
    Stop

    Interesting...

    ...especially when viewed in context of that out-of-sequence .NET 3.5 update that didn't mention anything about critical security vulnerabilities when it popped up but did silently install a plugin into firefox that couldn't be removed without making registry changes.

    Does make me wonder how they expect people to take out-of-sequence critical vuln fixes seriously when they go and use them for such blatantly non-critical purposes...

  21. Roger Heathcote
    Flame

    @vincent himpe

    "If you pop a dvd in your player you'd expect it to start playing.

    if you pop a music cd in the audio system you'd expect it to satrt playing.

    if you remeber old tapedecks in car radios : pop in the tape and they start playing.

    so why should a computer be different ?"

    Because none of these devices can get viruses and trojans that can bork your system, leak your personal files, steal your credit card numbers and website logins, activate you or your childrens webcams and spy on you/them or make your device part of a worldwide anonymous criminal zombie botnet army that might be used by criminals, terrorists and pedophiles to commit unspeakable crimes in your name.

    That's why.

    Roger Heathcote.

  22. Anonymous Coward
    Flame

    @vincent himpe

    -If I pop a DVD, cassette, or CD in my player, I expect it to start playing.

    Well, no, that's incredibly annoying actually. I expect media to start playing when I push "play", not before. Is it such a bother to just push "play" when you want your media to start playing? I often want to load a CD or DVD for playing in a while, perhaps after I've made a snack or in the car, gotten on the highway, not instantaneously.

    I've been petitioning the AD team at my company to disable autorun company-wide for some time. Not only is it a gaping security hole, but who the hell wants Windows to try and guess what action to do every time you plug in a flash drive? I especially abhor it if I pop my flash drive in a user's computer and they have some rinky-dink software installed that instantly wants to catalog or display all photos and/or other media files on my drive without being asked. Mount the drive and display a shortcut on the desktop like so many flavors of Linux will do, what else do you need?

  23. Anonymous Coward
    Gates Halo

    It's worth remembering

    that the dialogue box which Autorun pops up (on some versions of Windows) can be entirely misleading, as some of the previous discussion (with pictures) will plainly show, except I cba finding a link.

    So the dialogue box comes up and it says "click here to explore this device" whereas what it really means is "click here to install the conficker/downadup payload". And Billco thinks that's secure?

  24. Cameron Colley

    Am I the only one...

    ...who has been caught out by autoplay on a media device?

  25. Anonymous Coward
    Stop

    I have to say ...

    The Autorun feature is often useful, often not, but it *can* be completely disabled or tailored to suit your requirements.

    What next? Let's stop running EXE files because they could be dangerous? When is this molly-coddlling going to stop?

    In programming, same with .Net -- you *mustn't* use the Win API 'cos it's dangerous. You *must* only use managed code. You *can't* use pointers. All bullshit. Indicative of the rest of the pitiful risk-averse culture we live in.

    If you want to live in a sandbox, then fine. The rest of us have lives and jobs to get on with.

  26. Wolf

    Given the Vista hate expressed by Reg posters...

    ...it doesn't suprize me that no one has mentioned Vista doesn't do autorun the same way XP does.

    Put a CD/DVD/USB Stick in a Vista machine and it does NOT automatically run programs.

    Instead it prompts you to choose what you want to do. Of course there is a checkbox for "always do my choice" but that's one of those compromises MS has to make to placate the security-stupid.

    But everyone here uses XP forever, right? (snicker)

  27. Kyle

    @ Greg Fleming

    Errr....what?

    The entire point of disabling autorun, as with most of the conventions you mention for coding, is to avoid potential pitfalls for those who aren't aware of them - ie if you really want to ignore it you can do, but you should only do so if you properly understand the issue. Given that MS have (probably unintentionally) made it harder to effectively disable autorun than it necessarily has to be, at least from the view of Joe Not-Particularly-Technical, this isn't a bad thing. I'd love to see more user education before people are given machines, but complaining about actions intended to correct existing insecure behaviour is a dumb way to try and bring it about. Unless I've missed your point completely, that is...

  28. Ceiling Cat

    Banking? on windows?

    @Steve Loughran - There's no reason anyone should do their banking on a Windows Machine. PERIOD. I personally prefer doing my banking using a Linux-based LiveCD. As I've yet to hear of any LiveCDs shipping with spy/ad/mal/haxxware installed, I'll always consider Knoppix and it's ilk as being an excellent online banking platform.

  29. Anonymous Coward
    Anonymous Coward

    @ Kyle

    " I'd love to see more user education before people are given machines,"

    Oh I agree. As awful as it sounds, I would DEMAND people have a licence to use/operate a computer. LIKE DRIVING or being allowed to have children.

    Yes, you have missed the entire point.

  30. Anonymous Coward
    Coat

    @Ceiling Cat

    While it would be nice if more people were as security-conscious as you are, and I do most of my banking on a Linux machine myself, as an IT person, I have no problem doing banking on my Windows boxes (albeit through Firefox with NoScript installed) The majority of people have some flavor of Windows on their machines and probably always will, even if Linux makes some big strides. Should everyone go back to paper n' pencil or go to the bank for every little thing? Who wants the bother of booting from a slooow live CD or even from a flash drive? Windows can be moderately secure, but a little common sense is needed. (albeit a scant commodity with some folks) A little education in 'safe computing' might do wonders---perhaps they can teach it in school, right after the 'safe sex' lecture. Although I suppose in reality about as many people will practice it as practice safe sex. (not nearly enough)

  31. BioTube

    Just ignore Autorun.inf completely

    And if you can't, pop up a nice little window that says: "This disc wants to run a program(D:\storm.exe), which can be a security risk. What do you want to do?

    Open the device Scan the program for viruses Do nothing"

    Or, better yet, scan the file before saying anything. If it's a hit, don't let it run except when explicitly launched. Autorun should stay the realm of "open this program that's _already installed_" and not allow arbitrary programs to be run.

  32. Chris C

    @ Mike re: Autorun

    " Autorun for CD/DVDs is a good idea, the convenience of it allows users to just shove a CD in the drive and have it come up with a program specific welcome menu with options to install/run/whatever, just like you expect your DVD player to do when you put a DVD in - and let's face it malware trying to spread by piggybacking on CDs you burn isn't going to be very effective (hence there not being any malware problems with it)"

    Wow. How utterly uninformed. The problem of malware on optical discs is not limited to "burned" discs, as the Sony rootkit pointed out. Please go back a few years and investigate the Sony rootkit problem and the massive security vulnerabilities it introduced. Then please take some time to look into the formats of optical discs. Take a few days and let the information sink in, then come back. If you're not so inclined, allow me to spell it out -- an optical disc may not be what you think it is. An optical disc labeled as "CD" may not really be a Compact Disc (it may not be formatted to the Red Book [CDDA] standard). The Sony rootkit was like that, as are all "Enhanced" "CDs" (they are not real CDs [CDDA]). When the user put the disc into their drive, they thought they were inserting a music disc, and expected music to start playing. But because it was an "Enhanced" disc, Windows only looked at the data volume, and executed the autorun.inf in the data volume instead of playing the music in the audio volume. THAT is why autorun is bad for optical drives.

    "(for those who think autorun from a CD is a bad idea... did you know that these days you can actually boot an entire operating system from one? that's autorun taken to the extreme! i doubt you still use floppies to bootstrap your OS install CDs "for security" though)"

    Sorry, but that analogy is flawed. In the latter case, I'm explicitly telling the BIOS to boot from the disc; I want to execute the code on the disc. In the former case, I want my media player to access the data files on the disc; I don't want anything from the disc to be executed. There's a big difference.

  33. Chris C

    re: Given the Vista hate expressed by Reg posters...

    "But everyone here uses XP forever, right? (snicker)"

    Considering the FACT that Vista uses substantially more resources to perform the same functions at the same speed, yes, most people WILL keep using XP until they have a REASON to change. While you may not believe it, most people don't buy a new computer, at a true cost between several-hundred and a few thousand dollars, unless they have a reason. They won't replace their computer "just because", or for the sheer pleasure of spending money they don't have.

    Computers are a tool used to perform a task. As long as the computer performs that task to a satisfactory level, there is no incentive to replace it (this is especially true in business). On top of that, most businesses don't have the money to replace all of their computers every few years. Scheduled, regular replacement might be a good idea in theory, but until you can point to the trees upon which money grows*, it's not going to happen.

    And it should go without saying, but when comparing Vista to Windows XP, there are many reasons to avoid Vista. Why else do you think big-name companies such as IBM and Intel have publicly stated that they have no intention of moving to Vista? "Newer" does not equal "better".

    * For those using satellite imagery to find such trees, they're probably located in close proximity to the GoodExecutive/BadExecutive line. That's the line where on one side, losing billions of dollars and failing in your objectives results in either a multi-million dollar bonus or termination with multi-million dollars severance pay (GoodExecutive), and on the other side, losing billions of dollars and failing in your objectives results in your immediate termination with forfeit of all bonuses and no severance pay (BadExecutive).

  34. Steve Bush

    run gpedit.msc, admin templates, system, turn autoplay off, enable, all drives

    our instructions for all new systems

    * Login as Administrator

    * Open the Run dialog box ( [Windows] - [R] ), then type gpedit.msc, hit [Enter].

    * On the left pane, click "Administrative Templates", then "System".

    * On the right pane, locate "Turn Off Autoplay" and double-click on it.

    * Set it to "Enable" and choose All Drives

  35. Anonymous Coward
    Boffin

    @vincent himpe

    First I have to ask: are you for real? Ever heard of security?

    "- if you pop a music cd in the audio system you'd expect it to satrt playing."

    No I wouldn't. I'd expect it to tell me how many tracks there were, nothing more. I've never had one that started playing automatically and if I accidentally bought one, I would take it back and exchange it! (I'm a music lover, so I have some experience in this!)

    "- if you remeber old tapedecks in car radios : pop in the tape and they start playing."

    Yeah. That was easily the most annoying fucking thing in the world. Especially when it was the wrong side of the tape and at massive volume or something. I seem to remember that kind of tape player also having problems ejecting tapes.

    It's all completely irrelevant though, a tape can't contain instructions that destroy the functionality of the tape player... which brings us nicely to:

    "so why should a computer be different ?"

    OK, you don't know me at all but if I sent you a disc, would you want it to automatically run as soon as you put it in your computer?

    Think carefully. What if all the disc contains are instructions to completely erase your hard drive?

  36. Anonymous Coward
    Boffin

    RE: Given the Vista hate expressed by Reg posters...

    "on one side, losing billions of dollars and failing in your objectives results in either a multi-million dollar bonus or termination with multi-million dollars severance pay (GoodExecutive), and on the other side, losing billions of dollars and failing in your objectives results in your immediate termination with forfeit of all bonuses and no severance pay (BadExecutive)."

    I think you're mistaken. GoodExecutive is the default UNLESS the directors can pin their (illegal dealings or) mistakes on you, in which case - BadExecutive (and jail time!)

    And back (almost) on topic for a moment, I just worked for a client that has 11 year old machines running Win2k. They haven't had a security problem in quite some time (Autorun is off). They're never going to upgrade these machines because each machine can happily be running Excel, Word and Outlook all at once. Since the users of the machines have no reason to run anything else, it's been made impossible to access .exe or .bat using Outlook on those machines or to download any executables or installers.

    You're quite correct when you say that "Newer does not equal better". The Segway is newer than the bicycle, the car or the train and how many people commute to work on a Segway?

  37. Stuart Castle Silver badge

    @ vincent himpe

    "

    So according to you its a crime to try to make computers more user friendly and easier to use.

    - If you pop a dvd in your player you'd expect it to start playing.

    - if you pop a music cd in the audio system you'd expect it to satrt playing.

    - if you remeber old tapedecks in car radios : pop in the tape and they start playing.

    so why should a computer be different ?"

    You can have an "autorun" type system without it having to run executables on the CD. The mac does this. It does start itunes if you stick in a CD. It does start DVD player if you stick in a DVD. It does NOT look on the CD/DVD/USB stick for executables, because these may be viruses.

    How much harder would it be for the average use to click an icon labeled "setup" than just stick the CD in?

    There is one major difference between computers and the devices you mention. None of those devices can be easily infected by viruses. Computers (particularly those running Windows) can.

    Having Windows look on a random inserted CD for an executable that may or may not be safe is a massive security hole, and this is actually the reason Apple dropped full Autorun support from OSX.

  38. Anonymous Coward
    Pirate

    Blame starry-eyed futurists and LAZY consumers

    "If you pop a dvd in your player you'd expect it to start playing. - if you pop a music cd in the audio system you'd expect it to satrt playing. - if you remeber old tapedecks in car radios: pop in the tape and they start playing. so why should a computer be different?"

    That's right, computers are now *designed* to be used by dumbed-down morons who are too stupid and LAZY to even push a few buttons, instead these idiots want everything fully automated so that they don't even have to think at all. It's the way of the future, :( after all, and clueless starry-eyed futurists have been trying to foist off such needless automation on the masses for decades now. The masses have no objection because a significant percentage of them are too lazy to even think for themselves, let alone push a few extra buttons.

    What's next? Fully-automated butt-wiping? (Probably, just wait.)

  39. Pierre

    @ AC Blame starry-eyed futurists and LAZY consumers

    "What's next? Fully-automated butt-wiping? (Probably, just wait.)"

    You are soooo late dude.

    http://www.osnews.com/story/20101/The_Coco_Bidet_and_Toilet_Technology

    http://www.1800wheelchair.com/asp/view-category-products.asp?category_id=515

  40. Pierre
    Joke

    PS

    Automatic ass-wiping does exist, but unlike autorun, it can been seen as useful.

    Both gadgets do aim at buttholes.

    Both gadgets can whip your sorry ass and/or give you worms if cracked of misused.

    Ho boi, I think I could go on and on, but as my grand-grand father used to say, "a gentleman is a man who can go on and on, but doesn't." (he was a Scottsman).

This topic is closed for new posts.

Other stories you might like