Microsoft has released a security patch that changes the Autorun functionality in Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, in an effort to protect users from attacks.
Microsoft today made available updates to the Autorun feature that help to restrict AutoPlay functionality to only CD and DVD media on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Microsoft siad that by restricting AutoPlay functionality to only CD and DVD media can help protect userss from attack vectors that involve the execution of arbitrary code by Autorun when inserting a USB flash drive, network shares, or other non-CD and non-DVD media containing a file system with an Autorun.inf file.
In Windows XP, Windows Vista, and Windows Server 2003, AutoRun entries were populated for all devices that had mass storage and had a validly formatted AutoRun.inf file in the root directory. This included CDs, DVDs, USB thumb drives, external hard disks, and any volume that exposed itself as mass storage. This update disables AutoRun entries in AutoPlay, and displays only entries that are populated from CD and DVD drives. Effectively, this prevents AutoPlay from working with USB media.
The update is now offered via automatic updating. Users who have already installed Microsoft's 971029 update
manually will not be offered the update and do not need to take additional action.
Microsoft is marking this as an "Important, non-security update."
Notice that this update does not turn off the AutoRun feature entirely. For example, it does not impact "shiny media" such as CDs or DVDs that contain Autorun files.
For all those users who prefer the existing Autorun functionality and will want to reverse the effects, Microsoft is offering a Fix It
that accomplishes that.
"Changing behavior for a running system is never a trivial thing, and we take it incredibly seriously. It would be a bad outcome for people to think they have to make a tradeoff between security and anything else. Updates to protect against vulnerabilities are an important part of keeping a system secure. We had to be very confident that this change was the right balance for most people," Adam Shostack, a program manager working in TWC Security,wrote at Microsoft's security response blog.