Back in January 2009, when this blog started, I wrote a trio of articles about AutoRun and AutoPlay, even offering a sample autorun.inf file that could be used to test how a Windows computer responded to various tricks bad guys played with the files underlying AutoRun and AutoPlay.
Most importantly, I described a registry update, from Nick Brown and Emin Atac, that totally and completely shut down every autorun.inf file, bar none. I have since used that registry update to disable AutoRun on many computers without regret.
Despite this simple, ironclad protection from the dangers of AutoRun, the technical press almost exclusively focuses on partial, buggy fixes from Microsoft. In August 2009, Microsoft released an update to AutoRun for Windows XP, Vista and some server versions of Windows that was, yet another, partial fix.
Earlier this month, Microsoft moved this obscure patch (KB971029) into the Windows Update system as an optional update. On February 11th, I blogged here about how the vast majority of the technical press incorrectly reported that the patch would be automatically installed. Considering how easy this was to test and/or confirm, it was most disappointing.
But, even a broken clock is right twice a day.
The KB971029 patch was just promoted from optional to high priority (see below), meaning, it is now being automatically installed.
I ran across this by running Windows Update manually (as opposed to using auto-pilot) and confirmed it on multiple up-to-date XP machines.
Although bug fixes released on Patch Tuesday get all the attention, it is not at all unusual for Microsoft to release patches at the end of the month too.
The advisory for this update, Microsoft Security Advisory (967940) Update for Windows Autorun, was revised February 22nd to add the below
Change to the deployment logic for updates described in this advisory. This change in deployment logic is intended to minimize the user interaction required to install the updates on systems configured for automatic updating. With the change, typically no user action will be required to install the updates because automatic updating detects the configuration of the target system, downloads the updates, and installs the updates automatically or on a schedule specified by the user.
I think this means the update is now automatically installed, but I don't have a Microsoft to English dictionary handy.
Translation was also needed for the February 8th update to the same advisory which said that the patch was "now available via automatic updating." This meant that it was an optional update that had to be manually selected.
For whatever reason, this seems to have flown under the radar. I checked the latest AutoRun/AutoPlay news at Google, Yahoo and Bing and came up empty.
Update: Computerworld carried news of the change on March 3rd, but, without mention of the registry update that offers full, total AutoRun protection. March 8, 2011.
Despite Microsoft now considering this patch a "High Priority" it is nothing of the sort. The priority, for all Windows users, should be the registry update I described over two years ago that provides far more protection.