Microsoft removes Autorun feature

Microsoft has disabled the Autorun feature so often thought to be at the heart of computer security infections.

In an update that applies to all Windows releases with the exception of Windows 7 and Windows Server 2008 R2, the firm has limited how Autorun behaves after realising how often it was used to propagate malware.

Adam Shostack, a programme manager working in security at Microsoft, said that he had done a lot of work in classifying and quantifying how Windows computers get compromised.

"One thing that popped up from that analysis was the proportion of infected machines with malware that uses Autorun to propagate," he said in a blog post.

Shostack added that, although Microsoft is reluctant to place all of the blame on Autorun, it is playing a role in infection, and could have made it easier for worms like Conficker to spread.

"Due to the nature of the problem, it's probably not possible to acquire great data on the number of attacks that succeed by misusing Autorun. What we know is that a lot of malware uses Autorun as one of several propagation mechanisms," he said.

"Because of the very real positive uses of Autorun, we didn't want to simply shut it off without a conversation. On the other hand, we believed action should be taken to shut down the misuse."

Microsoft has been trying to wean people away from Autorun, and announced in 2009 that it was changed for Windows 7. Now it is seeking to make this change common and consistent across its users, meaning that standard USB sticks, for example, will no longer play or launch automatically on insertion.

The feature can be turned back on with a fix from Microsoft, and does not apply to USB sticks that are used for security purposes or have high levels of encryption. CDs and DVDs will remain unaffected.

Microsoft called this an important non-security update, but is delivering it alongside its usual Patch Tuesday updates.

"It would be odd to refer to Autorun as a vulnerability. That term is generally used, and we use it, to mean accidental functionality that allows someone to violate the security of the system. But Autorun isn't an accident. It's by design," said Shostack.

"Updates to protect against vulnerabilities are an important part of keeping a system secure. We had to be very confident that this change was the right balance for most people."