The vast majority of articles on the recent change to AutoRun for Windows XP, Vista, Server 2003 and Server 2008 state that Microsoft just released an update that will be automatically installed.
This is not true.
In fairness to the tech press, Microsoft themselves said this.
Microsoft Security Advisory (967940) Update for Windows AutoRun was first published back in February 2009. The corresponding patch, released in August 2009, was available only to techies that knew to look for it. The patch changed the way AutoRun functioned in the aforementioned versions of Windows to mimic the more secure behavior in Windows 7.
The security advisory was updated February 8, 2011 to add the following:
The update to AutoRun described in Microsoft Knowledge Base Article 971029 is now offered via automatic updating. Customers with automatic updating enabled will not need to take any action because this update will be downloaded and installed automatically.
It's a sad commentary on Microsoft that this is not the case.
What actually happened is that the patch was added as an optional update in Windows/Microsoft Update. Users of automatic updates will not have the patch applied. You still need to manually seek it out. It's just now a bit easier to find.
Kudos to both Gregg Keizer, who writes for Computerworld and Paul Thurrott at Windows IT Pro. Both pointed out that the change to AutoRun is not installed automatically and both described the manual steps needed to install the patch under Windows XP. Their articles are below:
- Patch Tuesday Comes with IE, AutoRun Fixes
- Microsoft cripples USB drive worms with new XP, Vista update
This illustrates a difference between members of the tech press that parrot back what they read elsewhere and those that take the time to kick the tires.
Part of Defensive Computing is knowing who to trust. Going forward, I will put more trust in the writings of both Keizer and Thurrott.
NOT COMPLETE PROTECTION ANYWAY
Taking a step back, however, Windows users need to be aware that the patch/update is incomplete.
Even with it installed, Windows computers can get infected when inserting a USB based device, all the device needs to do is present itself to the system as a CD or DVD, which still support AutoRun.
In Update to the AutoPlay functionality in Windows Microsoft says:
Some USB flash drives have firmware that present these USB flash drives as CD drives when you insert them into computers. These USB flash drives are not affected by this update.
Gregg Keizer reported in his article, that
... the more than year-and-a-half delay in pushing the AutoRun update to Windows Update was designed to give legitimate software vendors that used the feature time to recraft their programs. Most have turned to the U3 specification ... to automatically run their software from removable media.
I personally have run across more than one external hard drive that presented itself to Windows as both an external hard drive and a CD drive. No doubt this is done to foster the automatic installation of the pre-loaded software on the external hard drive.
I wrote about an ironclad approach to disabling AutoRun back in January 2009. This approach, a simple registry update, applies to all devices, including CDs and DVDs.
It's the Defensive Computing thing to do.
Update: Feb 12, 2011:
Larry Seltzer of PC Magazine was one of many who got some AutoRun facts wrong. On Feb. 11th he published a correction. His initial posting, from Feb 8th, however, was not corrected. What did change in the initial posting were the comments. One that I had left, correcting the facts, was deleted.