Microsoft Pushes Fix to Disable AutoRun


As malware authors and attackers have continued to employ the Windows AutoRun functionality to help spread their malicious creations–culminating famously in the Stuxnet worm–Microsoft has been making gradual changes to help prevent these attacks. This week the company took the major step of [putting an optional fix into Windows Update that will disable Autorun](<http://blogs.technet.com/b/msrc/archive/2011/02/04/deeper-insight-into-the-security-advisory-967940-update.aspx>). The company made the change Tuesday on the same day that it shipped its monthly crop of patches, and said that the change is designed to bring Windows XP and other operating systems into a more secure state by makign it harder for malware to use AutoRun as a propagation method. “In April 2009 we delivered a very public message to the Windows ecosystem that we were changing the behavior of Autorun in ways that improved security. We blogged on the progress of that transition, posting “[AutoRun changes in Windows 7](<http://blogs.technet.com/b/srd/archive/2009/04/28/autorun-changes-in-windows-7.aspx>)” in April 2009. In November 2009, we posted “[AutoPlay Windows 7 behavior backported](<http://blogs.technet.com/b/srd/archive/2009/09/11/autoplay-windows-7-behavior-backported.aspx>)” and we put out an update to do the same for older operating systems. We made that update available from the Download Center. That allowed anyone who wanted the update to seek it out and download it for themselves. Our partners expressed their concerns about that change, but by and large understood the reasons for it,” Adam Shostack, a program manager in the Trustworthy Computing Group at Microsoft said in a [blog post about the AutoRun change](<http://blogs.technet.com/b/msrc/archive/2011/02/04/deeper-insight-into-the-security-advisory-967940-update.aspx>). “Over the last few years, companies that needed the functionality incorporated U3 functionality into their devices. Others documented the change. Overall, the transition hasn’t been simple, but it has worked. Today we are taking another important step to protect our customers. We’re putting the existing update into the Windows Update channel.” AutoRun is a feature in Windows that tells the operating system what to do when a new drive is attached to the computer. The functionality is most often encountered by most users with devices such as USB drives. Stuxnet used this functionality as one of its methods of infection and much older worms, such as Blaster, used it in the past. In many cases, the AutoRun feature allows malware to spread or infect a machine in the background without any user notification. Microsoft officials said that the data they’ve collected and analyzed shows that although users of Windows XP and Windows 7 are exposed to malware families that utilize AutoRun as one of their infection vectors, users of the newer OS fared much better, likely thanks to the changes made to AutoRun. “However, when you look at actual infection rates (using data from the Microsoft Malicious Software Removal Tool and normalizing the number of users per OS with the number of infection reports per OS to account for differences in the install base), the numbers are starkly different. Windows XP users were nearly 10 times as likely to get infected by one of these worms in comparison to Windows 7. Although causative proof is difficult to quantify, it is quite possible that these figures reflect, at least in part, the improvements made to the security of Autorun in Windows 7,” Holly Stewart of the Microsoft Malware Protection Center said in a [blog post](<http://blogs.technet.com/b/mmpc/archive/2011/02/08/breaking-up-the-romance-between-malware-and-autorun.aspx>).