Microsoft says 'Good riddance' to USB Autorun

Filed Under: Malware, Microsoft

USB stickHere's some good news for anyone who has been struck by auto-running malware from a USB stick in the past.

Microsoft has rolled-out an "important, non-security update" through Windows Update, changing the behaviour of Autorun when you plug a USB stick into your computer.

Not sure what Autorun is? It's the technology which causes a program to start automatically when you insert a CD or USB stick into your Windows PC. You may have spotted the Autorun.inf files in the root directory of your USB sticks and on CDs in the past.

It may sound like a neat idea, but a lot of malware (The Conficker worm would be perhaps the most infamous example) has exploited the technology to infect computers via USB sticks in the past.

The more recent versions of Windows, like Windows Vista and Windows 7, have made changes to the way that Autorun operates and this has helped fight the spread of Autorun malware. But older versions of Windows, such as Windows XP, were still often at risk.

In fact, in a blog post published yesterday, Microsoft's Holly Stewart presented statistics which suggested that "Windows XP users were nearly 10 times as likely to get infected by [Autorun malware] in comparison to Windows 7."

Microsoft Autorun malware statistics

Yesterday, Microsoft rolled out an update via its Windows Update infrastructure, to users running versions prior to Windows 7, which effectively prevents Autorun malware from automatically infecting computers without the user's permission.

Note, however, that this isn't the death of Autorun entirely. As Microsoft's Adam Shostack explains on the MSRC blog, Autorun is still available for "shiny media" such as CDs and DVDs.

Hmm. I guess that will be welcome news for any misguided company which tries to emulate Sony's disastrous scheme from 2005 where music CDs automatically installed a rootkit as part of their DRM copy protection.

All in all, though, Microsoft has done a good thing here. Autorun was never a necessary technology in my point of view, and its exploitation by malware made it a dangerous liability. Locking it in a windowless room, handing it a service revolver and appealing to its sense of decency is probably the best move that we can make.

, , ,

You might like

13 Responses to Microsoft says 'Good riddance' to USB Autorun

  1. kurt wismer · 1700 days ago

    as vesselin pointed out to me some years ago (complete with microsoft documentation) autorun didn't automatically launch programs when inserting a standard flash memory drive into the USB port (CDs, DVDs, and U3 capable flash drives are a different matter). they can automatically launch programs when you double click on the drive in windows explorer, however.

    • Paul Ducklin · 1700 days ago

      I've never been able to remember which was AutoPlay and which was AutoRun.

      IIRC, it was the defunct AutoPlay which launched apps directly and silently, whilst AutoRun is the name for the feature pops up a menu in which the default option can be overriden by the AUTORUN.INF file, and in which the text and icon displayed for that default option is also controlled by potentially hostile metadata on the USB key.

      So although it doesn't exactly force a program to run, it takes you soooo close - and lets you make that default choice look soooo innocent that it might as well do so.

      • kurt wismer · 1699 days ago

        i humbly submit that if autoplay automatically runs things, and autorun pops up a dialog that lets you play audio/video/whatever from the removable storage medium, then the names are completely backwards.

        not that i'd put it past microsoft to name things like that, however.

        hmm, this page ( ) seems to suggest that they actually named things intelligently (if you scroll down to the question "What must I do to trigger AutoRun on my USB storage device?"

  2. Glenn · 1700 days ago

    I'm not a big fan of Autorun on ANY removable media. I'm perfectly capable of launching software, where ever it is located, at the time that I want to launch it. I'm also perfectly capable of launching the appropriate readers/viewers/players and reading/viewing/playing the desired files.

    Of course, I also recognize that not everyone (indeed, very few) have my level of computer knowledge, and they depend on these shortcuts to aid them in their computer's operation. I surmise that this action will afford very little advantage to those people...they're the ones who will, for example, click on anything on FaceBook. Not knowing there is malware on the USB stick, they'll just give it permission to run and get infected anyway.

    You can bet the malware writers know this. I seriously doubt that this will have any great impact on the problem.

  3. Sithlock · 1700 days ago

    At least it that lessens the problems Dead Droppers were having.

  4. Sean Sullivan · 1694 days ago

    You guys should stop playing with your Macs long enough to try actually installing the updates on a Windows box. ;-)

    It isn't yet automatic for Windows XP:

    "Microsoft says that this was a miscommunication and not a mistake."

    I never take what Microsoft say for granted, they're too big. I always test first and then write.

    • Thanks Sean. When I tested it I was able to install it as an optional update on my Windows machines - so PC Mag is right that you have to dig around a little to ensure that you have installed it on your computer.

      Sounds like they'll be making it non-optional in the coming weeks. :)

      • Sean Sullivan · 1694 days ago

        Good thing. Hopefully sooner than later. (If the left hand manages to communicate with the right. :-))

        Perhaps Microsoft should consider a "browser choice" type of wizard and also offer the fix it tool to completely remove the feature on older Windows installations?

        Having once worked as tech support, I know complete removal is a difficult and potentially costly decision, but I personally think older versions of Windows would be better off without it.

  5. hayzuse · 1693 days ago

    about time

  6. Anthony · 1288 days ago

    So, what is the difference between a USB drive and one that pretends to be a CD and .. autoruns.

    Recently saw a beauty which pretends to be a keyboard. Just does the typeing for the user automagically.

  7. Kevin · 1238 days ago

    The solution is not to withdraw a very useful feature but attack the problem.

    Autorun is the useful feature. Antivirus stops the rogue misuse of it.

    If we followed the same logic as applied to autorun, Microsoft should disable the running of programs!

    • raj · 1177 days ago

      Autorun is not a useful feature and never was. It was just a shiny gadget which purpose was to demonstrate how "cool" a system is, so it even runs programs automatically off an inserted disc/USB stick.
      One of the very first thing experienced Windows users do is to turn the autorun off. On the other hand, I have heard much too many complaints of inexperienced users who don't know how to turn the feature off, that it's messing with their usage of the computer by running things they don't want whenever they insert a CD.
      There's nothing difficult in navigating to the drive icon in the Explorer windows and double-clicking on "install" or something similar if you *actually want* to run the program off the disc. There's no need for any automation here. And it's actually a bad idea, because the computer doesn't know what do you want to do with the media you just inserted.

  8. Daniel Green · 1071 days ago

    its a good start, but i imagine most malware and spyware attacks are internet based. The insert popup really only needs to give the option to 'open the folder to view files' since there is a 9/10 chance that is the users next action after plugging in a memory card.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley