Microsoft Patches Virus AutoRun Exploit

Dennis Faas's picture

Microsoft has finally put the brakes on a feature in Windows XP and Vista designed to automatically run applications (and virus infections) on a USB drive.

The feature had been open to abuse by virus creators and was blamed for helping the wide spread of the Conficker virus, which wreaked havoc PCs back in January of 2009. Back then, it was estimated 9 million PCs were infected with Conficker, which was first discovered only 3 months prior.

Automated Virus Infection as Easy as 1-2-3

The exploit involves two separate technologies: Windows AutoRun, which automatically runs a setup program as soon as media is inserted into a PC. For example, AutoRun is most commonly used by hardware vendors to aid in the installation of software drivers. An AutoRun CD would automatically launch the driver installation as soon as the CD was inserted into the drive.

The second technology exploited was Windows AutoPlay, which offers the user a list of suggested programs to run when inserting a disk or USB drive, such as playing music files in a media player.

AutoRun, AutoPlay Manipulated by Hackers

Many users soon learned to disable AutoRun as it was so easily abused. However, virus creators discovered they could still trick users as the AutoPlay menu also listed any AutoRun options on the disc. Not only did the AutoRun options appear first in the list, but it was possible to re-title the options to any name of the creator's choice.

This led virus creators to try listing an AutoRun option (which actually installed a virus) to say "Open folder to view files", which is also a genuine AutoPlay option. That text thus appeared twice on the menu, with its first appearance being bogus. The resulting confusion was thought by 2009 to be responsible for around one in six cases of a virus spreading to a new machine.

Windows 7 Tweaks Help

In April that year, Microsoft announced it would heavily limit the AutoRun feature in Windows 7 so that it only appeared for CDs and DVDs instead of USB drives.

At the time, Microsoft said it would monitor Windows 7 to decide when to make similar changes to XP and Vista. Four months later, Microsoft offered the option of making the change in the older editions, but only to users that manually visited the Microsoft site and intentionally downloaded an update.

Windows XP Ten Times More Likely to be Infected

It appears the Windows 7 changes have made a difference.

Microsoft now estimates machines running XP are almost ten times as likely as Windows 7 computers to be infected via AutoRun. As a result, the company has decided now is the time to make a stronger push for getting XP and Vista users to install the update. It says the lengthy delay in doing so was designed to give legitimate software developers time to phase out applications that relied on AutoRun for installation. (Source:

The fix, KB971029, is part of the scheduled monthly update that was downloaded to computers this week, but must be manually selected before it takes effect. In XP, that's done in the "Software, Option" section of Windows Update. In Vista, it's in the "Important" section of the Windows Update panel. (Source:

Rate this article: 
No votes yet