By Harry McCracken | Tuesday, April 28, 2009 at 2:47 pm
It seems unlikely that Microsoft has any major news involving Windows 7 features up its sleeve, but interesting tidbits are still coming out. The latest is today’s news that it’s eliminating the venerable AutoRun feature for USB drives. A blog post at the company’s Engineering Windows 7 blog explains that the Conficker worm used AutoRun (which identifies programs on a removable device and lets users choose to have them run automatically) and AutoPlay (which notices that you’ve inserted a removable storage device and provides a menu of tasks to choose from) to provide an AutoPlay item that looks like it’ll open up a folder but which actually launches Conficker. Windows 7 won’t display AutoRun items in this menu, and Microsoft says it’ll update Windows Vista and Windows XP to behave the same way. Conficker may be devious, but the security hole was pretty gaping all along; it’s surprising that it took this long for it to be publicized and for Microsoft to seal it up.
AutoPlay will still display AutoRun items on CDs and DVDs–which are presumably far less likely to carry worms than USB drives–but Microsoft is tweaking the message you get to make it clearer that launching an AutoRun item involves running a program from an external device.
Side note: Microsoft’s Security Research and Defense Blog also has an item on the change, in which it says that “AutoPlay will no longer support the AutoRun functionality for non removable optical media” This momentarily confused me–it brought to mind visions of a DVD drive with a single disc sealed up inside the computer–but I’m reasonably sure that it’s a typo and that the poster meant to say “non-optical removable media.”