Sign up for our newsletter.

I agree to this site's Privacy Policy.


Microsoft Releases Security Update for Autorun Vulnerability

In an "important, non-security update" released on Tuesday, Microsoft is offering a more convenient way to plug an Autorun hole for Windows XP and Vista users.

Microsoft is releasing an Autorun improvement for XP and Vista users through Windows Update, a service that automates patch delivery. The release coincidentally comes alongside this month's security update. This nonsecurity update adjusts the behavior of Autorun so that it prompts the user before automatically running programs found on USB devices or extended drives. However, Microsoft's Adam Shostack, in a blog entry, said that the update does not change how Windows works with "CDs or DVDs that contain Autorun files."

"We are aware that someone could write malware to take advantage of that, but we haven't seen it in the wild," Shostack wrote in the blog.

The Autorun hole, which Microsoft describes as a feature, has been used by hackers to spread worms (such as Conflicker) and other malware in users' systems. Worm-dropper programs hidden on USB devices or thumb drives have used Autorun to self-install on systems.

Autorun worms are ranked second on Microsoft's top malware family list for the second half of 2010, according to a Microsoft Threat Research and Response blog entry.

Some of the language associated with this problem has been a bit of confusing, and Microsoft is the first to admit that.

" Microsoft we reserve the term 'Security Update' to mean a broadly released fix for a product-specific security-related vulnerability," Shostack wrote in the blog entry. "And it would be odd to refer to Autorun as a vulnerability. That term is generally used, and we use it, to mean accidental functionality that allows someone to violate the security of the system. But Autorun isn't an accident -- it's by design, and as I mentioned we care about the very real positive uses of the feature."

While Microsoft has previously provided a workaround to disable the autorun feature, this new update will automatically provide a patch through its Windows Update system.

Windows 7 users will not need to take any actions, as the Autorun vulnerability associated with USB devices was cleared up in the launch of Microsoft's newest OS. However, all versions of Windows can still be affected by the Autorun hole by malware found on CDs, DVDs and other optical disk media.

About the Author

Chris Paoli is the site producer for and

comments powered by Disqus

Reader Comments:

Fri, Feb 11, 2011

The patch for Autorun was NOT installed automatically by Windows update. It was merely added to the list of optional patches. It still needs to be manually selected. And the protection is only partial as a USB device can present itself to the OS as a CD and thus be enabled for Autorun. For more on this see

Fri, Feb 11, 2011 Mark

There are any number of features that can be exploited in different ways, Auto run is just another one. There are other features that can be used in malicious ways as well. For example jpeg bombs can be activated by opening a web page should all browsers prompt you for every jpeg they open just because one might be bad? The possibility of that a feature is exploitable doesn't mean it should always be completely be removed. One can drive a car and cause lots of damage but the utility of it out ways the idea that cars should be banned.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above