Microsoft Releases Security Update for Autorun Vulnerability

In an "important, non-security update" released on Tuesday, Microsoft is offering a more convenient way to plug an Autorun hole for Windows XP and Vista users.

Microsoft is releasing an Autorun improvement for XP and Vista users through Windows Update, a service that automates patch delivery. The release coincidentally comes alongside this month's security update. This nonsecurity update adjusts the behavior of Autorun so that it prompts the user before automatically running programs found on USB devices or extended drives. However, Microsoft's Adam Shostack, in a blog entry, said that the update does not change how Windows works with "CDs or DVDs that contain Autorun files."

"We are aware that someone could write malware to take advantage of that, but we haven't seen it in the wild," Shostack wrote in the blog.

The Autorun hole, which Microsoft describes as a feature, has been used by hackers to spread worms (such as Conflicker) and other malware in users' systems. Worm-dropper programs hidden on USB devices or thumb drives have used Autorun to self-install on systems.

Autorun worms are ranked second on Microsoft's top malware family list for the second half of 2010, according to a Microsoft Threat Research and Response blog entry.

Some of the language associated with this problem has been a bit of confusing, and Microsoft is the first to admit that.

" Microsoft we reserve the term 'Security Update' to mean a broadly released fix for a product-specific security-related vulnerability," Shostack wrote in the blog entry. "And it would be odd to refer to Autorun as a vulnerability. That term is generally used, and we use it, to mean accidental functionality that allows someone to violate the security of the system. But Autorun isn't an accident -- it's by design, and as I mentioned we care about the very real positive uses of the feature."

While Microsoft has previously provided a workaround to disable the autorun feature, this new update will automatically provide a patch through its Windows Update system.

Windows 7 users will not need to take any actions, as the Autorun vulnerability associated with USB devices was cleared up in the launch of Microsoft's newest OS. However, all versions of Windows can still be affected by the Autorun hole by malware found on CDs, DVDs and other optical disk media.

About the Author

Chris Paoli is the site producer for and


  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.