Plugging the Windows AutoRun Hole

      Comments Off on Plugging the Windows AutoRun Hole

Back in the early 1990s, when Microsoft was raring to conquer the world, and still thought that security was something that could be dealt with as an afterthought, they added two features to Windows that have caused endless grief: ActiveX controls and AutoRun. Both were intended to make things more convenient for developers. (ActiveX was also a blatent attempt to hijack the Internet by encouraging web developers to build sites that could only be accessed using Windows and Internet Explorer.)

ActiveX controls used to cause all sorts of security problems, but this issue has gradually faded away as web developers came to realize that they should never, ever use them, and end users learned to always click “No” on requests to install them (or better yet, just use FireFox or some other browser that doesn’t support them.)

AutoRun, which automatically runs a program whenever a removable disk is inserted in the drive, has persisted because it’s just so convenient for developers to be able to say “Just put the CD in the drive and follow the instructions on the screen.” Recently however a new wave of viruses spread though devices like USB keys and electronic picture frames has convinced many users that this feature is much too dangerous to allow on their machines.

However when they try to disable AutoRun they find that Microsoft has made it ridiculously difficult. There are various menu options to turn it off, but they don’t really work.

As a public service, here’s a link to Scott Dunn’s article that gives relatively simple instructions for really disabling AutoRun. (After doing this, when you want to install software from a CD-ROM you will need to open the disc in Explorer and run the setup program manually.)

Woody Leonhard’s description of the “Conficker” worm makes it clear why it is so dangerous to leave AutoRun even partially enabled.