
Microsoft finally says adios to Autorun - taylorbuley
http://www.theregister.co.uk/2011/02/08/microsoft_windows_autorun_retirement/
======
amalcon
I have always wondered who could have possibly thought Autorun was a good
idea. Let's give complete control of the system to anyone who gives you a CD!
Your neighbor's photo album can give you a virus now! Sony can install a
ridiculous content protection system without your knowledge or consent!

~~~
InclinedPlane
You have to keep in mind the technology of the time. The only user modifiable
media was a floppy disk (which didn't have autorun enabled, I believe). PCs
were becoming "multimedia" computers and the CD-ROM was the center of that.
CD-ROMs could then only be manufactured by rather large companies and
typically cost a significant amount of money to acquire. The idea that people
would acquire autorunnable media casually was foreign. The idea that the
ability to create autorunnable media would be common as dirt was also foreign.
Moreover, the internet was still new and not widely popular so the problem of
malicious autorunnable media was thought to be fairly limited in scope.

The modern era of dirt-cheap user modifiable CDs and USB drives along with
ubiquitous internet connectivity opens up the seemingly small (though still
serious) security problems of autorun into gaping holes.

Moreover, at the time many developers didn't take security issues very
seriously.

~~~
chipsy
I concur - the "multimedia" vision was that the CD-ROM would be used like a
VCR to play tightly-controlled, packaged media with interactivity. Things like
"interactive movies," animated books, and encyclopedias were often cited as
the examples. And Windows would support this experience by making it as simple
as turning on the computer and putting in the disc.

In practice, of course, it never really worked that way. Games moved away from
the interactive movie concept and instead would run an installer for 600+ MB
of compressed content. The encyclopedias-on-CD and animated books had a window
of about six or seven years before the Internet took over. And when CD burning
took off in a big way in the late 90's, the image of the CD-ROM as a read-only
medium was destroyed forever.

The only place where Autorun might have concievably worked well is on the
proprietary content formats(DVDs and audio CDs). Yet even there, most of the
times I've put a CD or DVD in the computer, it's been to rip it, not to play
it.

~~~
InclinedPlane
Indeed. In practice hard drive space grew by leaps and bounds (as it always
does) and within a few years it was practical to store several CDs worth of
data. The historical norm had been to often run applications off of the
original media (floppies or CDs), but this changed to fully installing to the
hd once and then never using the original media again. This, of course, very
much changed the nature of the benefit of autorun.

Moreover, the explosion of the internet in the mid to late '90s began to
transform the nature of computer usage. In large part the internet supplanted
the CD-ROM as the primary point of entry for content into PCs.

It's interesting how common it is for even software engineers to fail to
anticipate the continuation of very well established technology trends.

------
misterbwong
Let me be the first to say: FINALLY

Autorun was an annoyance at best and a security hole at worst. I'm glad
they've finally decided to do away with it. I do wonder why they didn't decide
to do this across all media, though.

FTA: As we've pointed out before, the changes to Autorun still don't go far
enough. CDs and DVDs by default still automatically execute code when
inserted. Adam Shostack, a program manager for Microsoft's Trustworthy
Computing group, said here that Microsoft has yet to see in-the-wild attacks
that exploit Autorun on “shiny media.”

~~~
yuhong
Yep, there is a difference between Autorun on media that is instantly writable
and those that has to be specifically burned.

------
iwwr
"Over the past few years technologies such as in the U3 functionality found on
many thumb drives has provided alternatives."

In my experience, U3 is nothing but crippleware. It should be killed with
fire.

------
BoppreH
I still can't understand why they added the "feature" in first place. Sure,
automatic execution of setups and the like is very convenient, but even a
small "are you sure you want to run this" dialog would have closed the
security hole most times.

~~~
callahad
> _I still can't understand why they added the "feature" in first place._

I imagine, in the early 1990s, that the user experience seemed extremely
natural. Put a tape into a VCR and it starts playing. Put a LaserDisc into a
player and it starts playing. Put a cartridge into a game console and it
starts playing. Put a CD into a stereo and it starts playing. Why shouldn't a
CD you put in your computer start playing?

~~~
thought_alarm
Well, when you insert a tape into a VCR you still have to hit PLAY before it
does anything. Not that there's anything wrong setting your computer to
automatically play a CD.

But it's not about audio, it's about software.

Starting with Windows 3.0, Microsoft's approach to Windows OS usability
involved hiding the file system from the user. Autorun is merely an extension
of that philosophy. It allows Microsoft to hide a CD-ROM's ugly MS-DOS file
system from the user.

An alternate approach is to make the file system less ugly.

~~~
jarek
Hiding a device's filesystem from the user would later prove to be a
relatively unpopular solution. </sarcasm>

~~~
ericd
Mostly for geeks, who really weren't who they were designing for.

------
thought_alarm
I didn't know Autorun was removed (sort of) in Windows 7. I guess that's one
less thing some of us can brag about.

It's hard to understand how Autorun survived Microsoft's big security push in
the mid-2000s. I would have guessed it would be the first thing to go.

But they can't remove Autorun without severely breaking backward
compatibility; you can't suddenly force users to locate SETUP.EXE in a sea of
weird setup files in order to install Office. That's why it's still enabled
for CDs and DVDs. As a result, Microsoft and its users continue to pay a price
for what turned out to be a really terrible design decision.

~~~
larsberg
The push only involved auditing use of APIs. High-level decisions were,
generally, not re-thought.

For a more concrete example, if you were hosting IE within a window of your
process, you had to harden the heck out of anything that IE could host, how it
accessed URLs and the hosting environment, etc. But, nobody was going to ask
you WHY you were hosting IE in the first place.

------
kenjackson
There are two core reasons why autorun wasn't viewed as a huge security
threat:

1) As one other person already pointed out, there was no real vector in which
to steal info from the client computer. There was no default email client, web
browser, or even TCP/IP stack. Computers were silos where data was moved via
floppy.

2) There was a reasonably fair assumption that if you put in a CD you were
going to run the application installed on the app. If it had opened up in file
explorer and there were files "setup.exe" or "readme.exe" or "runme.exe" --
99% of the time those files will get run anyways.

To put it another way... using the most secure web browser on the planet today
is probably a bigger known security risk in 2011 than autorun was in 1995.
With that said, the benefit of a web browser is a fair bit larger than
autorun.

------
nyellin
Even though it will be more difficult for worms to spread over USB, this does
NOT mean USB keys are no longer an attack vector.

For attacks targeted at specific computers, you can bypass the new
restrictions with Teensy and similar devices.

[http://www.offensive-security.com/metasploit-
unleashed/SET_T...](http://www.offensive-security.com/metasploit-
unleashed/SET_Teensy_USB_HID_Attack)

~~~
nyellin
Furthermore, in my opinion, leaving autorun enabled for CD/DVDs was the right
decision. Most people don't use CDs for transferring files anymore. Viruses
wont be able to get much traction by spreading over CD/DVDs, because barely
anyone inserts writable disks.

------
bni
Great! Lets hope they remove the "functionality" that blindly executes all
files ending in .exe next.

