Autorun and Autoplay: screwed by terminology

Many people are confused about Windows Autorun and Autoplay, including otherwise competent techies. You may be confused and not even realize it. I was.

In the good old days, neither Autorun nor Autoplay were all that important to Windows users. However, now that malicious software spreads by means of infected USB flash drives, it has become a very important topic. 

A large part of the confusion stems from terminology.

I spent many years debugging software problems, and the hardest part was always understanding the issue at hand. The last thing anyone needs is for terminology to get in the way of understanding and communicating. Yet, that's what has happened. 

Microsoft uses the words Autorun and Autoplay to mean different things at different times. No doubt this is driven by the fact that they have no terms for three important autorun related things

As I noted in my previous posting, Test your defenses against malicious USB flash drives, there are four ways that malicious software on a USB flash drive (thumb drive, pen drive, USB key, memory stick, etc.) can execute and infect a Windows computer:

  1. Run immediately and automatically
  2. Run via the Autoplay popup window
  3. Run when the user doubleclicks on the drive letter in My Computer
  4. Run via a modification to the context menu (the pop-up menu displayed when you right click on a drive letter).

Four approaches, yet Microsoft has only two words to describe them, autorun and autoplay. Autorun describes the first approach and is typically used on CDs. Autoplay describes the second, it is a feature of Windows that was introduced with XP. Microsoft has no term for either the third and fourth approach.

Perhaps most importantly, Microsoft has no one term to describe the totality all four approaches. Thus, they can't even talk about what their customers care about, protecting their computers from infected USB flash drives. They have no term that encompasses all four potential attack vectors.

Just last week, the well regarded Woody Leonhard writing in the Windows Secrets newsletter discussed the latest worm (which goes by the names Downadup, Conficker, and Kido). At the end of the article, he linked to an older newsletter article, by Scott Dunn, for "...comprehensive instructions to disable AutoPlay."  

Scott Dunn's article describes an approach which does not turn off autoplay. It's a great approach, and one that I'll be writing on extensively next time, but it has nothing at all to do with Autoplay. A computer that's modified as per Scott Dunn's suggestion (which comes originally from Nick Brown) is perfectly protected from USB flash drives, yet the Autoplay feature of Windows is enabled.

Dan McCloy turned off Autoplay, yet his computer got infected from an infected USB flash drive using attack vector 3 or 4. To describe the problem he invented the term EDDC (Execution of the Drive's Default Command).

As is all too typical, Autorun/Autoplay has been victimized by poor design, software bugs and poor documentation. But perhaps the biggest issue is the terminology. You can't fix or understand a problem that you can't describe.

Microsoft has got to clear this up. They probably won't. 

More on protecting your computer from infected USB flash drives next time.

See The best way to disable Autorun for protection from infected USB flash drives.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon