Tuesday, February 15, 2011

Windows startup: Microsoft is wrong is right, Computerworld

The vast majority of articles on the recent change to the State of AutoRun for Windows XP, Vista, Server 2003 and Server 2008 that Microsoft has just released an update that will be installed automatically.

This is not true.

In honesty printing tech, Microsoft said this themselves.

Microsoft Security Advisory (967940): update for Windows AutoRun was published in February 2009. The corresponding patch, published in August 2009, was only available to techies who knew to look for it. The patch has changed the way they worked in those versions AutoRun in Windows to simulate the behavior of Windows 7.

Security Advisory was updated February 2011 to add the following:

The AutoRun update described in Microsoft Knowledge Base article 971029 is now offered via automatic updates. Customers with automatic update enabled will not take any action because this update will be downloaded and installed automatically.

It's a sad commentary on Microsoft that this is not the case.

What actually happened is that the patch was added as an optional Windows Update/Microsoft Update. Users of automatic updates will not have the patch applied. You must still manually to find her. It's just a little easier to find.

Kudos to both Gregg Keizer, who writes for Computerworld and Paul Thurrott in Windows IT Pro. Both stressed that the change of AutoRun is not installed automatically and both describes the manual steps required to install the patch under Windows XP. Their articles are below:

This shows a difference between members of the press tech that parrot back what they read elsewhere and those who take the time to kick the tires.

Defensive Computing part is knowing whom to trust. Going forward, I will put more trust in the writings of Keizer is Thurrott.

STILL NOT FULLY PROTECTED

Taking a step back, however, Windows users should be aware that the update is incomplete.

Even with it installed, Windows computers can get infected when inserting a USB based device, the device needs to do is go to the system as a CD or DVD, that still support AutoRun.

In the update for the AutoPlay feature in Microsoft Windows Says:

Some USB flash drives have firmware with these USB flash drives such as CD drive when you insert them into your computer. These USB flash drives are not affected by this update.

Gregg Keizer reported in his article, that

... the delay of more than year-to-a-half to push the Autorun update to Windows Update is designed to give providers of legitimate software that uses the time to recraft the functionality for their programs. Most have transformed the U3 specification ... to run automatically on their software from removable media.

Personally I've run across more than one external hard drive that Windows is presented as an external hard drive is a CD drive. Without doubt this is done to promote the automatic installation of software preloaded on external hard drive.

I wrote about a battleship approach to disabling AutoRun Back in January 2009. This approach, an update to registry easy, applies to all devices, such as CDs and DVDs.

See the best way to disable AutoRun for protection from infected USB flash drive and test the defenses against malicious USB flash drive.

Defensive Computing is the thing.

Update: 12 February 2011:

Larry Seltzer, PC Magazine has been one of the many who got some facts wrong AutoRun. February 11, published a correction. However, his initial posting, from 8 February, has not been corrected. What did change in the initial registration, were the comments. What I had left, correcting facts, has been deleted.



No comments:

Post a Comment