Microsoft doctors AutoRun in Windows 7 to stymie Conficker

But it's not saying when it will make the same changes in XP and Vista

Prompted by the spread of the Conficker worm through infected USB drives, Microsoft Corp. will unveil changes in next week's public Windows 7 Release Candidate that are designed to stymie such hacker strategies.

But Microsoft, which has promised to update the operating systems currently being used by customers -- Windows XP and Vista -- with a similar change at some point, has not set a timeline for that task.

In four different company blogs -- including a trio of security blogs, as well as one devoted to Windows 7 -- Microsoft spelled out how it has modified AutoRun and AutoPlay, a pair of technologies originally designed for CD-ROM content, to keep malware from silently installing on a victim's PC.

"Windows will no longer display the AutoRun task in the AutoPlay dialog for devices that are not removable optical media (CD/DVD) because there is no way to identify the origin of these entries," Arik Cohen, a program manager on the Windows 7 team, said in the entry on the Engineering Windows 7 blog.

AutoRun is the technology that starts some programs automatically when a CD, DVD or other media is inserted. One of its most common uses is to start an installation program when a user puts a CD into the optical drive.

AutoPlay, on the other hand, is the Windows feature that lets a user pick which program starts when a specific type of media, like a DVD containing photos, is inserted.

Conficker leveraged both. The worm, which first appeared in November 2008 and exploded in January 2009 -- in part because a new variant added the ability to spread using USB flash drives -- copied a malicious "autorun.inf" file to any USB storage device that was connected to an infected machine. It then spread to any other PC if the user connected the device to another computer, then picked the "Open folder to view files" option under "Install or run program" in the AutoPlay dialog. (Conficker also spread to a PC if the user had earlier told AutoRun to make that choice by default.)

To stop Conficker, and other malware that spreads by exploiting AutoRun and AutoPlay, Microsoft changed Windows 7 so that the AutoPlay dialog no longer lets users run programs -- except when the device is a non-removable optical drive, in other words, a CD or DVD drive. A flash drive connected to a Windows 7 PC, for instance, will only let the user open a folder to browser a list of files.

"The new changes will no longer expose the AutoRun entries in the dialog unless it is removable optical media (CD/DVDs)," said Jimmy Kuo and Huzefa Mogri, two security researchers with Microsoft's malware protection center. "So, if a USB drive is inserted into a machine, the AutoRun choice will no longer be shown."

The more advanced Security Research & Defense blog, however, noted an exception. "Some smart USB flash drives can pose as a CD/DVD drive instead of standard [drives]," the blog warned. "In this specific scenario, the operating system will treat the USB drive as if it is a CD/DVD because the type of the device is determined at the hardware level."

In other words, malware could still spread via such devices, which are identified as "U3 smart drives." Many of SanDisk's drives, for example, are U3-capable.

Microsoft said it would backport the AutoRun/AutoPlay changes to Windows XP and Windows Vista, but did not give any indication when it would do so. "We will be bringing this change to Vista and XP in the future," was all Cohen said. When asked for something more specific, a company spokesman said, "We don't have any more details to share about the timing for this change to be implemented on Windows XP and Vista."

It shouldn't be a surprise that Microsoft is being coy about a timetable for XP and Vista, said John Pescatore, a Gartner Inc. analyst who covers security. "In the last three to four months before an OS shift, most of the development and security testing resources are in the new release," said Pescatore. "That sucks out the energy of what's going to be fixed in the older releases."

And Microsoft may want to gauge the change's effectiveness in Windows 7, and its reception by users, before it backports the modification to XP or Vista. "They may want to make sure it's working," said Pescatore, "and do a true backport, rather than having to write totally separate code [for XP and Vista]."

Windows XP and Vista users, he noted, can already disable AutoRun and AutoPlay manually by editing the registry, or in an enterprise, through group policies. To disable AutoRun, however, users must first apply a patch Microsoft issued earlier this year to fix a bug that kept the feature from really being switched off.

The AutoRun and AutoPlay changes will debut in Windows 7 Release Candidate (RC), which will be available Thursday to MSDN and TechNet subscribers and on May 5 to the general public.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Windows Vistawindows xpMicrosoftconfickerWindows 7malware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?