Microsoft Releases Security Update for Autorun Vulnerability
In an "important, non-security update" released on Tuesday, Microsoft is offering a more convenient way to plug an Autorun hole for Windows XP and Vista users.
Microsoft is releasing an Autorun improvement for XP and Vista users through Windows Update, a service that automates patch delivery. The release coincidentally comes alongside this month's security update. This nonsecurity update adjusts the behavior of Autorun so that it prompts the user before automatically running programs found on USB devices or extended drives. However, Microsoft's Adam Shostack, in a blog entry, said that the update does not change how Windows works with "CDs or DVDs that contain Autorun files."
"We are aware that someone could write malware to take advantage of that, but we haven't seen it in the wild," Shostack wrote in the blog.
The Autorun hole, which Microsoft describes as a feature, has been used by hackers to spread worms (such as Conflicker) and other malware in users' systems. Worm-dropper programs hidden on USB devices or thumb drives have used Autorun to self-install on systems.
Autorun worms are ranked second on Microsoft's top malware family list for the second half of 2010, according to a Microsoft Threat Research and Response blog entry.
Some of the language associated with this problem has been a bit of confusing, and Microsoft is the first to admit that.
"...at Microsoft we reserve the term 'Security Update' to mean a broadly released fix for a product-specific security-related vulnerability," Shostack wrote in the blog entry. "And it would be odd to refer to Autorun as a vulnerability. That term is generally used, and we use it, to mean accidental functionality that allows someone to violate the security of the system. But Autorun isn't an accident -- it's by design, and as I mentioned we care about the very real positive uses of the feature."
While Microsoft has previously provided a workaround to disable the autorun feature, this new update will automatically provide a patch through its Windows Update system.
Windows 7 users will not need to take any actions, as the Autorun vulnerability associated with USB devices was cleared up in the launch of Microsoft's newest OS. However, all versions of Windows can still be affected by the Autorun hole by malware found on CDs, DVDs and other optical disk media.