Microsoft is pushing out an update via its Windows Server Update Service to protect Windows users from AutoRun malware.
to take aim at malware abusing the AutoRun feature in Windows-this
time placing a fix into the Windows Update channel to prevent exploitation by
AutoRun is a feature that
allows removable media such as USB devices and CDs to launch automatically
whenever they are inserted; it is also one of the chief ways worms
use to propagate
. In response to the problem, in Windows 7, Microsoft
changed AutoPlay-the feature that allows users to decide what program
starts when removable media is inserted-to end support for AutoRun
for non-optical media such as USB drives. That capability was later made
available for older versions of Windows through the Microsoft Download Center.
Now, Microsoft is making
the "non-security update" available via Windows Server Update
Services, which is used by administrators to push updates out to users.
According to the Microsoft
Malware Protection Center, Windows XP users were nearly 10 times
as likely to get infected
by one of these worms in comparison to Windows 7.
"What we know, and talked
about in volume 9 of our Security Intelligence
last fall, is that a lot of malware uses Autorun as one of several
propagation mechanisms," blogged Adam Shostack, a program manager working in
Trustworthy Computing for Microsoft. "Because of the very real positive uses of
Autorun, we didn't want to simply shut it off without a conversation. On the
other hand, we believed action should be taken to shut down the misuse."
The update still does not
impact CDs or DVDs that contain AutoRun files. However, Shostack noted the
company has not seen malware taking advantage of that, and malware on CDs or
DVDs would likely have less of a widespread impact because people burn CDs less
often than they insert USB drives.
Among the malware that
abused the AutoRun feature were two of the most highly publicized pieces of
malware in history, Conficker and Stuxnet.
"All in all, though,
Microsoft has done a good thing here," blogged Graham Cluley, senior technology
consultant at Sophos. "Autorun
was never a necessary
technology in my point of view, and its exploitation
by malware made it a dangerous liability. Locking it in a windowless room,
handing it a service revolver and appealing to its sense of decency is probably
the best move that we can make."
Changing system behavior is
never a trivial thing, and Microsoft takes it seriously, Shostack wrote.
"It would be a bad outcome
for people to think they have to make a tradeoff between security and anything
else," he blogged. "Updates to protect against vulnerabilities are an
important part of keeping a system secure. We had to be very confident that
this change was the right balance for most people."