Following Microsoft's Patch Tuesday fixes, it has also announced an update for the Autorun feature to change how earlier versions of Windows handle security when reading removable storage devices.
Adam Shostack, a program manager at Microsoft, said that analysis had shown that there was a proportion of infected machines with malware that uses Autorun to propagate and because of the very real positive uses of Autorun, Microsoft did not want to shut it off without a conversation and on the other hand, it believed action should be taken to shut down the misuse.
This has led to the existing update being put into the Windows Update channel, leading to three important effects: delivering the existing update to many more machines; making it easier to deploy via WSUS; and helping those organisations that, as a matter of their policy, only widely deploy updates that are in Windows Update.
Windows 7 already disables Autorun for devices such as USB thumb drives, which prevents malware lurking on such drives from loading itself onto computers without user interaction. Microsoft said that it believes this is a huge step towards combating one of the most prevalent infection vectors used by malware such as Conficker.
Shostack said that this was an ‘important, non-security update', as this was not referring to Autorun as a vulnerability, as Autorun is not an accident, it is by design. “It is also not a security update because security updates are intended to fix a problem and all known variants. That's more problematic when the ‘problem' is a feature that's being used as intended and so this update does not turn off the feature entirely,” he said.
“For example, it does not impact ‘shiny media' such as CDs or DVDs that contain Autorun files. We are aware that someone could write malware to take advantage of that, but we haven't seen it in the wild.
“Based on what we've learned over the last 22 months and shared in the Security Intelligence Report, now is the right time to bring this update to a wide audience. At the same time, we're aware that some customers prefer the existing Autorun functionality and will want to reverse the effects. So we have a Fix It available that accomplishes that.”
Tyler Reguly, technical manager of security research and development at nCircle, said: “Beyond the vulnerabilities, I think the delivery of the disabled Autorun for thumb drives is a huge increase in security for users.
“Malware commonly spreads via Autorun, and lately we have seen malware ship on a large number of consumer products, so this added protection can only be good for the end user. I'm glad to see that Microsoft is pushing this non-security update out to all consumers.”