Microsoft Releases Security Update for Autorun Vulnerability

In an "important, non-security update" released on Tuesday, Microsoft is offering a more convenient way to plug an Autorun hole for Windows XP and Vista users.

Microsoft is releasing an Autorun improvement for XP and Vista users through Windows Update, a service that automates patch delivery. The release coincidentally comes alongside this month's security update. This nonsecurity update adjusts the behavior of Autorun so that it prompts the user before automatically running programs found on USB devices or extended drives. However, Microsoft's Adam Shostack, in a blog entry, said that the update does not change how Windows works with "CDs or DVDs that contain Autorun files."

"We are aware that someone could write malware to take advantage of that, but we haven't seen it in the wild," Shostack wrote in the blog.

The Autorun hole, which Microsoft describes as a feature, has been used by hackers to spread worms (such as Conflicker) and other malware in users' systems. Worm-dropper programs hidden on USB devices or thumb drives have used Autorun to self-install on systems.

Autorun worms are ranked second on Microsoft's top malware family list for the second half of 2010, according to a Microsoft Threat Research and Response blog entry.

Some of the language associated with this problem has been a bit of confusing, and Microsoft is the first to admit that.

" Microsoft we reserve the term 'Security Update' to mean a broadly released fix for a product-specific security-related vulnerability," Shostack wrote in the blog entry. "And it would be odd to refer to Autorun as a vulnerability. That term is generally used, and we use it, to mean accidental functionality that allows someone to violate the security of the system. But Autorun isn't an accident -- it's by design, and as I mentioned we care about the very real positive uses of the feature."

While Microsoft has previously provided a workaround to disable the autorun feature, this new update will automatically provide a patch through its Windows Update system.

Windows 7 users will not need to take any actions, as the Autorun vulnerability associated with USB devices was cleared up in the launch of Microsoft's newest OS. However, all versions of Windows can still be affected by the Autorun hole by malware found on CDs, DVDs and other optical disk media.

About the Author

Chris Paoli is the site producer for and


  • What Money in Excel Means for the Future of Microsoft 365 Apps

    Microsoft's new personal finance tool hints at what's in store for next-generation Office applications, from more third-party integrations to subscription requirements.

  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.