At last!
For years it has just pissed me off when that window keeps popping up whenever I put a DVD in the drive or attach a USB stick. Why didn't someone tell me about this years ago? :)
After some confusion about exactly how Windows users can protect themselves against a prolific computer worm called Downadup, Microsoft security watchers are once again reiterating the steps for disabling the Autorun feature. Downadup has managed to infect an estimated 9 million machines at last count using multiple attack …
Tweak XP does it for you. No registry editing. The problem is most of my clients couldn't handle having to right click and select autoplay ... on the optical drive.
When I used vista I found a similar program for vista .. but now I am sticking with XP until I give Windows 7 a shot.
Yes, let's automatically execute whatever random executable happens to be configured on some random media we're connecting to, rather than require user intervention. What a wonderful idea! Nothing could possibly go wrong! Then let's make disabling it as cryptic as possible.
Bloody idiots. To think that people still buy that shit, it's sickening.
This post has been deleted by its author
The Vista default is to pop a window to authorise the autorun. I think it includes a tick box for "don't ask again." There is also a single config window for all media. Instructions here: http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/
If your aunt Mildred clicks "yes" to every question that comes up, then this might help save her from herself, but it should be OK if she both reads them and understands that her Sony CD doesn't really need to run any of its own software. (I think that rootkit popped a window explaining that the new software was necessary to give the best listening experience, so even people who read the question might have clicked "yes.")
The Bloody Idiots are the ones who throw in random media without being certain of the source. Surely this is first principles with regards to security.
Trouble with most Linux Fanatics is they ignore the average users demand for ease of use combined with lack of skills. Whether they like it or not, Microsoft addressed - only Ubuntu has really come close to trying. Autorun is one of those features that fits Joe User nicely, but leaves an unfortunate security issue.
is that they couldnt just restrict what autorun can do, I mean, what exactly could it possibly need? it needs to open a program that can do what, install a program? ok, on demand popup a dialog asking for permission and bingo, problem is resolved.
oh wait, windows can't reliably do that.......
1) Read the screen in front of you which gives some pretty big fucking clues that it's dodgey (e.g. the word on a different icon saying "Browse folders"
2) Keep UAC enabled
3) Ignore the autoplay screen
This isn't an exploit or a hole - it's just not great design. However the bottom line is that this is a social engineering exploit rather than a technical one. There's little different between this and getting an email saying "click here to download the latest patches from Micr0soft" from updates.ms@microsoft.fixes.tripod.com
UAC prevents this from actually working, along side the fact that the virus doesn't self-execute.
I still have one Windows machine that runs my mail server. Someday I will get around to finding the right mail server software to run on Linux or Mac but in the meantime I still have the one.
So, I tried the "fix" from Microsoft because this has bugged me for years.
Result?
"Windows cannot find the file gpedit.msc. Make sure you have typed the name correctly ...........etc"
There is probably a good reason. It's just that life is too short to go looking for it.
Considered installing the patch but it says that it is not necessary for XP PRo SP2 or SP3?
Therefore, why not just offer SP3 instead of the patch? Anyway, just to be sure, I decided to follow the group policy editing instructions, but when I tried to launch the GP snap-in, my PC reported that it could not be found? Perhaps it's not installed, since I'm not on a corporate network?
So then I decided that I would modify the registry key (NoDriveTypeAutoRun) just to be sure, but found that it does not exist at the specified location!
Next I decided to slap my XP Pro installation disk in the drive and see if it autoruns... it didn't!
... go figure!
The powertools are cute - developed my MS guys, but not "official". There's a really useful one called TweakUI that let's you pick which drives you want to disable autorun, and since any physical drive mounts as a logical drive letter, problem solved.
I think. YMMV.
I've always disabled it.
When setting up big networks my workers used to complain it was pointless extra work disabling Autoplay.
I've never seen the point of it. How hard is to to click on the icon when you insert the thingy? Also maybe you want to look at the files or manual BEFORE autorun of the installer.
Of course when Aunt Mildred doesn't have autorun switched on, and she inserts her CD, she won't have a clue how to access it, and will think it's "broken".
And even if somehow she does manage to get to the file explorer window, and open the CD to be confronted by a plethora of meaningless files and folders, she then won't have a clue which file to open on it.
Which means she'll probably randomly click on files - and probably install any virus or worm on there anyway. Computer asks "do you want to run this program?", she's gonna say yes isn't she... "Why would I have clicked on it otherwise! Stupid machine..."
For instance the only way to really have a clue about what programs start with the system is to look in the registry, and given the desire of almost every windows app to want to hang out on the bottom right of the screen with its own pointless icon, this can get out of control.
(Why is it i need an icon to tell me i have a touchpad on a laptop...)
The problem is that OS makers are trying to cater for an increasingly stupid userbase.
And so as they try to make their OS's (not just MS here) easier and easier to use, so that more thick bastards can use it securely, people who have a clue (increasingly rare it seems) get more and more frustrated when trying to use the OS (Vista UAC anyone?)
"...Microsoft could come up with a *.reg file normal users could double-click to change the registry settings?"
It would be easier still to roll out the change through auto-updates. Clearly the whole point is that Microsoft don't *want* people to disable autoplay. I can't imagine why not, since it causes nothing but grief, but that's the only rational explanation of why the feature still exists and is still enabled.
Autoplay does for memory sticks what ActiveX does for the internet. If you've enabled it, you've just let the bad guys in. If I were conducting the security audit on Se7en, I'd insist on the feature being removed, since its risks so massively outweigh the benefits. Looks like SDL has become JAA for Microsoft. (Just Another Acronym)
There is a SIMPLE way to disable Autoplay but MS don't tell you
Plug in a USB drive or put a CD / DVD in the drive and close the drawer while you hold shift down. Oh look no "what do you want to do with this USB device" and no "autorun"...
You just need to remember hold down SHIFT, left shift is prefered as the right shift might enable "sticky keys"
As for network drives well no idea but probably shift on boot works as well although some programs that are run on start up from Start > All Programs > Startup will probably not run..
... not 2005.
Ever since Windows 95 it was a crappy idea to let Autorun working.
Whenever my dad wanted to search for a lost CD, he would check my drive (guess, not there), and whatever CD I forgot there, be that a music CD or a game, it would kick in, nearly crashing the PC.
Remember, back in the day 16MB of memory was something extraordinary, and Win95 was not the best manager of IRQs or DMA capabilities, freezing everything until the drive had spinned up and read the dreaded Autorun.
Mine is the one that won´t jump at my face when opening the locker.
I am not an anti-Windows zealot. I earn my pesos from Windows and use it day to day. But things like this absolutely enrage me.
I think it's time to conclude that Microsoft is not only not interested in PC security but is actively sabotaging it. I can think of no other reason for still having problems like this regularly cropping up. When you look at PC security issues about 99% originate from Redmond's insane compulsion to script, RPC or “ActiveX” everything it touches.
It's not that these things aren't useful if used correctly. I use scripts all the time and guess how Linux does much of it's hard lifting. It's just that only a stupid, f---ing, moronic idiot would default to “execution enabled” for everything from embedded emails scripts to CD setups and allow un-authenticated, alien code to run without even trying to establish some kind of minimal session level security. To then require the user to switch off this idiocy is the ultimate insult.
I think that what needs to be done is to start a huge class action suit against Microsoft for substantial multibillion dollar damages. They appear to be incapable of responding to anything else. In case anyone wonders whether there are sufficient grounds for mounting such an action just try to quantify how much time and money this single, totally foreseeable and avoidable“bug” is causing and multiply it by.... who knows what!
@fwibbler
Its not that the OS makers are trying to cater for an increasingly stupid userbase, its that with a GUI they have been dumbing down the skills needed to use a 'puter for years.
There was a time when a sophisticated user inter face was a .bat file that displayed ANSI control codes and simply executed a batch file to run your proggy. Bring back the command line interface I say (and 16 colour displays), when the only way to install a virus will be by running the command "installvirus /ROOTKIT_AS_WELL /Bugger_up_the restore_points_while_youre_at_it
It may be social engineering that is tricking peeps into installing all sort of crap on their computers (not a reference to windoze), but just ask yourself, who gave these hacker the tools to engage in this sort of crap. Why turn on the idiot interface by default, like autorun and "hide file extensions", and run everything as a administrator, is it because the OS developers are idiots as well?
Paris, well known for her simple to use interface
Probably affecting more home users than pro's (hopefully), therefore more likely that it will be XP Home not XP Pro. Unfortunate then that the advice given by microsoft to XP Home users involves the group policy editor....... Get a f*ing grip Redmond.
total fail.... really. Where do they hire their QA from these days ?
Look here:
http://autorun.synthasite.com/
Basically, the aforementioned registry keys and group policy settings only disable the automatic reading of a drive and either popping up the Autoplay menu or executing a program.
Even with these registry keys set, Windows still parses the autorun.inf, possibly resulting in new items added to the right-click context menu (when clicking on the drive) or hi-jacking of the default "Open" or "Explore" commands so that just double-clicking on the drive could execute a malicious payload.
Dan McCloy describes how to re-direct Windows away from Autorun.inf to a non-existant registry key. After applying the reg fix on my system, the only thing that happens when I insert either a CD or a USB thumb-drive is that Windows Explorer opens, displaying the contents of the drive. I can then click on the setup.exe IF I want to!
...you are aware that, if there's a CDFS partition on the drive, autorun.inf will be executed *regardless* of whether you configure the registry/press Shift/whatever?
Nice security hole you got there...
*Disclaimer: the above is hearsay from Slashdot - anybody with a WIndoze PC and a partition editor care to confirm this?
It's not that they want to fuck up the security it's that they want to make it easier for anyone (including virus writers, because virus writers are people too, you know) to use their OS, so that they get 85% of the market using them.
Security is not on their radar. And if it DOES pop up, unless they can exploit it for their market retention (cf Palladium) it will get shot down PDQ.
I've got /etc/conf.d/ntp-client then we get into the subtly varying formats of each file.
Besides, reg keys are normally more like:-
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Microsoft Outlook
Yeah, you get cryptic ones, but that's down to the app author, same as /etc/
I'm no windophile, but there's not much between them, it wouldn't surprise me to find that the registry was designed with /etc/ in mind.
"I've got /etc/conf.d/ntp-client then we get into the subtly varying formats of each file."
Which is documented in the file.
Where's the documentation for iDepthPerceptionGamma element in your registry (note: in case you go looking for it, that one is made up)? The registry is not documented. And the reason for the hex keylabel is to DELIBERATELY stop you working out what the feck is going on in the registry.
And, because everything is in the one registry, if it borks, the lot borks.
If /etc/ntp-client.conf (and what you think that is for..?) goes titsup, this doesn't nuke your DHCP configuration.
/etc isn't great, but it's a cosmic shitload better than the windows registry (which you seem to think is OK given you haven't complained about it).
And with RedHat, there's a GUI for fucking about with your ntp configuration anyway, so why the FUCK do you care what it's called?
<snip>And with RedHat, there's a GUI for fucking about with your ntp configuration anyway, so why the FUCK do you care what it's called?
</snip>
For when the GUI gets broken.... Mind you, at least if it does in a unix/unix like system the chances are you can still get at it and take remedial action. If the registry in windows goes breasts uppermost ......? Better make sure you know where the install media and license is. You did back everything up didn't you ? Then again that's why I've preferred Linux and Unix for years.
KDE detects things like disk insertions and offers you the option to browse the files in Konqueror, burn a CD/DVD in K3B (if it detects a writable CD), automatically download photos or do nothing. It *doesn't* run random executables without your say-so.
Microsoft have gone out of their way to make everything easy for ordinary users, but in doing so they have also made it easy for those with less than honourable intentions.
It's just a shame that DOS never used an attribute bit to differentiate between executable and non-executable files, the way Unix always has. That alone would have saved much grief. The need to right-click on a freshly-downloaded file and enable it to be executed might just have saved a few computers.
>Which is documented in the file.
Oh come on, ntp is relatively good but there's much worse, and the formats vary even when you know what you want to put in them.
In /etc/X11/xorg.conf I have understandably:-
Option "XkbLayout" "gb"
There seems to be precious little documentation there explaining how I might have known that I want gb over uk or GB or en or en/gb etc.
I also have:-
Option "AllowEmptyInput" "false" in xorg.conf
DEFAULT_COLORS:true in my /etc/lynx.cfg
Quite a variation don't you think?
>And, because everything is in the one registry, if it borks, the lot borks.
The equivalent is /etc/ not the one file. You lose /etc/ then you know about it as well.
The registry also merges per user configurations better than /etc/ where we get alternate configuration in the users dot files.
>And with RedHat, there's a GUI for fucking about with your ntp configuration
>anyway, so why the FUCK do you care what it's called?
Well,
- I might not have X installed.
- I might not have the GUI installed.
- I'm on Gentoo.
- The GUI might be expecting one file name where I have another.
- There's a GUI for manipulating most registry entries in windows apps as well. You very rarely have to resort to the reg editor.
I generally dislike putting config in databases (which the registry is) it prevents versioning and, as you say, annotation suffers.
>the reason for the hex keylabel is to DELIBERATELY stop you working out what the feck is going on
That's just ludicrously paranoid, many programmers use hex for bit fields etc.
Colours are in hex even in the weenie world of html.
Well, what about if the mysterious GUI JonB says exists for editing the registry is broken?
So ***at best*** a score draw.
But if you figure in the frigging name is pretty damn obvious, you can just to an "ls" and get the bloody thing. vi and the format is explained to you inline.
One point AT LEAST to /etc.
If you don't have the GUI installed, you already know what you're doing (or you don't care, so why should I?)
Gentoo has its own GUI for stuff.
Ubuntu too.
And look at "man ntpdate" to find out in the "Also see" section what the name of the config file is. Or "man ntp-client.config" will do too.
Please tell me where one lives. One that turns the hash key (which makes searching for an application easier: hash the name of the app and then look for the hash entry, but is a royal PITA for humans who can't run an MD5Sum in their head) into a name. THAT is why it's a frigging he number, not your raving stupid reason ("they use bit fields in colours for X", WTF???). And why would it be bitfields used in the translation of the freaking name of the application anyway??? Man, you're well clueless and adamant that you're not. Delusional.
The registry was done that way. Did I say it was for a nefarious reason? No. YOU are paranoid. One reason: if you don't know where the app is configured, you can't go in and shag it up.
But it makes a huge cockup. Installing software? Well, only one place for the configuration. You need admin rights for it.
UNIX? /etc/XXX.conf for the system wide. ~/.XXX.conf for personalised.
Isn't that a shitload easier? And when you back up your home, your configurations for applications personalised to your taste is saved with it.
Isn't that better?
You still haven't said which one is easier either. All you've done is slag off /etc. That doesn't say the registry is better, just that you don't like /etc.Why is completely beyond anyones guess. Probably even your own. Except "I hear other people say it, so it must be true, cos that makes Linux bad.".
Erm, maybe you should RTFM? Pretty much everything in my /etc/ is quite self explanatory _and_ heavily commented*. The most convoluted/complicated files in there even have their own man/info page in case you want to really fiddle with the most obscure aspects. I don't remember seeing anything even remotely approaching that for the windoze registry. "annotation suffers", if by that you mean "annotation is impossible by design" (which is not due to the database approach, as you seem to believe, but to the _dumb_ approach. Adding a comment field would not be rocket science, would it? The lack of it is further proof it's been designed to be obfuscated.)
We could go on and on with the flaws in the registry... but the fact is, autorun, hiding the extensions and all that useless dangerous crap is why botnet herders and VXers will never get out of business while there are MS products allowed to see the 'net.
* I'm sure it's the same in yours
Unfortunately, in a stroke of the kind of pure evil genius only Micro$oft could come up with, holding down the shift key in Windows Vista *invokes* Autorun. Given that Micro$oft were so keen to burden Fister with as many DRM gotchas as they could find, and the previous Sony rootkit fiasco, one wonders why...
JonB's idiocy got me in a state of defiance. I'm sure there's some sort of disorder going on there, the silly twat can't EVER be wrong, it seems he's afraid his masculinity will wither and die if someone finds out he was wrong about something. Shit, Feynman was wrong about lots of things. Einstein. Plato. Hell, Brahms probably wrote some really crap stuff.
IT'S ALRIGHT TO BE WRONG.
>If you don't have the GUI installed, you already know what you're doing (or you don't care, so why should I?)
Or the GUI has died on you because the config is wrong...
Besides merely not wanting the GUI to run, it doesn't follow that you know the ins and outs of every conf file in /etc/ (and those that are outside it, lots of my kde conf has wound up in /usr/share/).
You might be trying to cut a system back as a lightweight web server for instance.
Knowing what you want to do doesn't mean you know everything there is to know.
I see what you mean about the hex, I thought you meant the hex in field values, the hash keys is stupid. I still think it's paranoia that the hashed values are deliberate obfuscation, although I can't think of any other reason.
>But it makes a huge cockup. Installing software? Well, only one place for the configuration.
Some would say one place is a good thing.
>You need admin rights for it.
Not sure which system you mean here, both allow users to install software.
Both can restrict system wide installations.
>You still haven't said which one is easier either. All you've done is slag off /etc.
That's not true, I've mentioned the downsides of both and "I generally dislike putting config in databases (which the registry is) it prevents versioning and, as you say, annotation suffers." which should have been read as an agreement that /etc/ is in the end preferable but not without its flaws.
If you hadn't been so focused on defending unix systems you'd have seen that I've not been putting across the black and white etc:bad registry:good thing at all.
Earlier for instance - "I'm no windophile, but there's not much between them, it wouldn't surprise me to find that the registry was designed with /etc/ in mind." - is about as equivocal as it gets.
Perhaps you should see that it's not quite so black and white, etc isn't perfect and the registry isn't either but they both do the job.
>IT'S ALRIGHT TO BE WRONG.
I'm often wrong, I have posted on here several times accepting that I'm wrong about various things, indeed even in this post I've said I misunderstood you on hex values.
Finally, I don't see why you have to hurl insults like some child in a tantrum, I've been consistently polite and attempted to be clear and direct, the same courtesy could be returned.
You must be a nightmare to work with, any discussion just descends into abuse.
@Pierre
>Erm, maybe you should RTFM? Pretty much everything in my /etc/ is quite self
>explanatory _and_ heavily commented*.
Back to my "gb" keyboard config, it's not in the file and it's not in the manual. Yes, it could be in info pages, but then it's about documentation not the merits of the config systems. On docs unix systems obviously come with lots more.
It was in response to the "Which is documented in the file." comment where he's picked a well documented file, we all know there are undocumented and badly ones.
>if by that you mean "annotation is impossible by design"
I suppose I do. You can annotate outside the registry itself, but that's like saying you can look at the docs.
@Pad
I did since I haven't had to call him a silly twat for arguing his point. ;)
As others have commented above, the MUCH better solution is the one from Nick Brown that zaps the registry to disable all autorun.inf files. This is better than the solutions offered by Microsoft. The MS KB article that is linked to in this article does not even have any solution for Windows XP Home Edition users. I wrote a lot about this on my blog at Computerworld. See
http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives