Microsoft Releases Security Update for Autorun Vulnerability -- Redmondmag.com

Microsoft Releases Security Update for Autorun Vulnerability

By Chris Paoli
02/10/2011

In an "important, non-security update" released on Tuesday, Microsoft is offering a more convenient way to plug an Autorun hole for Windows XP and Vista users.

Microsoft is releasing an Autorun improvement for XP and Vista users through Windows Update, a service that automates patch delivery. The release coincidentally comes alongside this month's security update. This nonsecurity update adjusts the behavior of Autorun so that it prompts the user before automatically running programs found on USB devices or extended drives. However, Microsoft's Adam Shostack, in a blog entry, said that the update does not change how Windows works with "CDs or DVDs that contain Autorun files."

"We are aware that someone could write malware to take advantage of that, but we haven't seen it in the wild," Shostack wrote in the blog.

The Autorun hole, which Microsoft describes as a feature, has been used by hackers to spread worms (such as Conflicker) and other malware in users' systems. Worm-dropper programs hidden on USB devices or thumb drives have used Autorun to self-install on systems.

Autorun worms are ranked second on Microsoft's top malware family list for the second half of 2010, according to a Microsoft Threat Research and Response blog entry.

Some of the language associated with this problem has been a bit of confusing, and Microsoft is the first to admit that.

"...at Microsoft we reserve the term 'Security Update' to mean a broadly released fix for a product-specific security-related vulnerability," Shostack wrote in the blog entry. "And it would be odd to refer to Autorun as a vulnerability. That term is generally used, and we use it, to mean accidental functionality that allows someone to violate the security of the system. But Autorun isn't an accident -- it's by design, and as I mentioned we care about the very real positive uses of the feature."

While Microsoft has previously provided a workaround to disable the autorun feature, this new update will automatically provide a patch through its Windows Update system.

Windows 7 users will not need to take any actions, as the Autorun vulnerability associated with USB devices was cleared up in the launch of Microsoft's newest OS. However, all versions of Windows can still be affected by the Autorun hole by malware found on CDs, DVDs and other optical disk media.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.