Windows 7’s AutoRun Evolution Backported to XP and Vista Through Windows Update

By on February 10th, 2011 09:11 GMT

It’s now easier than ever for customers running older Windows releases to increase the security of their platforms by accessing an element of Windows 7’s evolution related to the AutoPlay.

Back in April 2009, long before Windows 7 was released to manufacturing, Microsoft kicked up a notch AutoRun for the operating system in a move designed to thwart malware that was abusing the feature in order to infect computers.

Essentially, starting with that time, Windows 7 AutoPlay no longer supported the AutoRun functionality for non-optical removable media, such as USB drives, although it continued to work for CD and DVDs.

When Windows 7 users insert a USB device into their machines they no longer get the “Install or run program” option specific of AutoRun, but just the General Options of AutoPlay.

In this regard, any malicious code on the device can no longer launch and compromise a PC by misusing AutoRun.

According to Holly Stewart, MMPC, the AutoRun changes were introduced to tackle malware that uses AutoRun propagation techniques, such as Taterf, Rimecud, Conficker, and Autorun.

“A similarity all of these worms share is a common propagation method. They all abuse the autoplay feature of Autorun, many by creating or manipulating Autorun.inf files on network drives and removable media, so that when a user connects, the malware is automatically executed on their system,” Stewart explained.

“Newer operating systems, like Windows Vista and Windows 7, have made changes to the way Autorun is configured (Windows Vista) and how it works by default (Windows 7).

“These changes appear to have had a significant difference in the ability for autorun-abusing malware to successfully infect these newer operating systems, especially for Windows 7.”

The software giant has found that the AutoRun changes made in Windows 7 had a real impact on reducing the number of infections by malicious code that are known to abuse the feature, in comparison to Windows XP and Windows Vista.

“Windows XP users were nearly 10 times as likely to get infected by one of these worms in comparison to Windows 7. Although causative proof is difficult to quantify, it is quite possible that these figures reflect, at least in part, the improvements made to the security of Autorun in Windows 7,” Stewart added.

It’s important to note that the Redmond company has already backported the AutoRun changes to XP and Vista in the second half of 2010, and that now it’s only streamlining the integration of those modifications into all platforms.

Specifically, Microsoft has decided to push Windows 7’s AutoRun behavior as an Important update through Windows Update.

“We're putting the existing update into the Windows Update channel. This change has three important effects: we deliver the existing update to many more machines; we make it easier to deploy via WSUS; we help those organizations that, as a matter of their policy, only widely deploy updates that are in WU.

“We're marking this as an "Important, non-security update" ,” revealed Adam Shostack, a program manager working in TWC Security.

This not a security update because it’s not a patch designed to resolve a security vulnerability. Instead, it’s an upgrade to a default feature in Windows.

XP and Vista users that have not deployed the Windows AutoRun changes manually will be served this update through WU.

“Changing behavior for a running system is never a trivial thing, and we take it incredibly seriously. It would be a bad outcome for people to think they have to make a tradeoff between security and anything else,” Shostack added.

“Updates to protect against vulnerabilities are an important part of keeping a system secure. We had to be very confident that this change was the right balance for most people.”

Comments