Autorunning disks Very Bad Idea.

  • Thread starter Thread starter Anteaus
  • Start date Start date
A

Anteaus

Hate to say "I told you so, Microsoft" but:

http://www.bestsecuritytips.com/news+article.storyid+393.htm

Not sure I was the first, but many years ago I made a prediction of the
likelihood of the autorun.inf feature -Then only applying to CDs- being
exploited in the same manner as floppy viruses like Brain or Stoned. It gives
me only slight satisfaction to see it proved correct with an in-the-wild
example affecting brand-new hard disks.

The software guys have had fully TEN YEARS (Since the release of Win95A, in
fact) to wise-up to the malware risk that autorunning disks create, yet with
successive Windows versions the scope of autorun has been expanded rather
than curtailed.

And, this in the face of most users protesting that CD/Flash memory autorun
is simply an unwanted nuisance, one which they'd rather not have because of
its annoyance factor, security considerations aside.
 
Hate to say "I told you so, Microsoft" but:

Oh gosh, where to start:

That's about a Chinese mfg sending pre-infected hard drives for sale,
not about user being infected by autorun.
"
Seagate did not disclose the stage in the manufacturing process where
the Chinese subcontractor installed the Trojan horse
"
Not sure I was the first, but many years ago I made a prediction of
the likelihood of the autorun.inf feature -Then only applying to CDs-
being exploited in the same manner as floppy viruses like Brain or
Stoned. It gives me only slight satisfaction to see it proved correct
with an in-the-wild example affecting brand-new hard disks.

Somehow I doubt your credentials and claims based on the article you
referenced and any other lack of informational clarification or
verification. I'm looking for facts, not crap like this from vague
self-serving individuals.
The software guys have had fully TEN YEARS (Since the release of
Win95A, in fact) to wise-up to the malware risk that autorunning
disks create, yet with successive Windows versions the scope of
autorun has been expanded rather than curtailed.

Well, by your flawed logic, since that's an Aug 2007 article, it then
took them 9 years to detect? I don't think so. Your link is
disconnected from your stated topic.
And, this in the face of most users protesting that CD/Flash memory
autorun is simply an unwanted nuisance, one which they'd rather not
have because of its annoyance factor, security considerations aside.

You don't even seem to be aware that autorun is manageable and can be
turned off completely or off for only certain types of things, etc..

The thing I hate most in this world is misinformation, either by direct
lie or by innuendo of statistically insignificant occurrences. In my
nearly two decades of experience I have never come across even the
mention of anything such as you mention; you're running on what you
consider "logical" and no more, IMO.
 
Twayne said:
You don't even seem to be aware that autorun is manageable and can be
turned off completely or off for only certain types of things, etc..

Why is is that no-one can make a constructive comment on Windows security
without a debunker launching-in? The key objective always seems to be to
discredit the poster. Note, that does not solve the problem. Though, it may
dissuade others from requesting a fix, I guess. Maybe that is the objective?

The typical user does not know how to turn off autorun, what is more they do
not expect to have to meet such issues; they (perhaps rightly?) think the
computer should be designed with at least a sensible attitude to security.

EVEN if the user does understand such things as registry-editing, it is no
guarantee of security. There are a number of programs around which force
autorun ON even if the user has turned it off, directly in the registry. One
such, believe it or not is (or was?) Apple's iTunes. (Policy might have
changed, not sure on this, any current iTunes user care to comment?)

I speak from experience of having been caught-out by one such program (A
CD-writing suite) which set autorun ON without my knowledge or permission. As
a result an unauthorised installer ran from a subsequent CD-R containing data
for a project. In view of the possibility that it may have contained a
malware payload, the only sensible decision was to flatten the OS.

There are two issues here:

One, it is virtually impossible to do anything to Windows which will ensure
that aurorun STAYS off. This is very poor design. Make any registry-edits you
like, and some bright-eyed and bushy-tailed programmer will figure that he
can still make his program autorun on your computer (which will of course
infinitely Richen your User Experience!) if he resets your registry for you.
Bingo, autorun is alive once more, and you may not even be aware of this
until malware strikes.

Two, when disks autorun, they do so at a very random time after insertion.
Sometimes the delay is considerable. Security aside, this is immensely
irritating.
If the user is typing when this happens the autorun-program will 'steal
typing' from the foreground window, and typically launch an installer with
garbage instructions as a result. Even if the software is legitimate this can
result in a messed-up install.

Saying that the quoted example was solely the fault of the Chinese disk
supplier is ignoring the requirement for due diligence. It should not have
been *possible* for the supplier to do this in the first place.

As for comments regarding the quoted article's date, has the problem been
fixed yet? If NO, then what exactly is your issue with the article's date?

As for your derogation, Twayne, I seriously doubt _your_ credentials to
comment.
 
Back
Top