John T. Haller, May 4, 2009
Microsoft recently announced changes to AutoPlay in Windows 7 that removes the ability for normal removable drives (USB flash drives, portable hard drives, etc) to be able to present users an option to autorun. This is mainly due to the Conficker malware which spreads by tricking users into thinking they are opening the drive to explore folders. Unfortunately, this makes it more difficult for users to use portable environments like the PortableApps.com Platform and other portable software and doesn't address malicious software on other media. There is a better solution involving signed files which will make software distributed on CDs more secure as well.
Background - Conficker
Conficker and other malware is spread by 'infecting' a removable drive's autorun file. It's designed to trick users into thinking they are opening the drive as usual by using an icon for a windows folder and setting the open text to "Open folder to view files" just as Windows presents it. Users mistakenly select it and the malware installs itself on the local PC.
Windows 7 RC1 Approach: Disable It For USB/Hard Drives Only
Microsoft's solution is to remove autoplay's ability to use an autorun.inf entirely for removable rewriteable drives. Users are given no indication that runnable content is on the drive. CDs and DVDs would still be able to present users with the option to run content to end users.
Windows 7 Approach Shortcomings
While it does address the Conficker problem, Microsoft's solution has several shortcomings. First, it makes it much more difficult for end users to be able to access software that they themselves have installed to their portable device like the PortableApps.com Platform. Other portable solutions would be similarly affected as would promotional drives distributed as 'give-aways' by vendors and businesses which include marketing and promotional content.
Second, this solution doesn't address the issue of malware distributed on CD and DVD. As Sony's malicious software fiasco showed us, malware can be distributed on innocent-looking audio CDs as well as on normal data CDs and DVDs. It could even be designed to look like the Windows autoplay prompt to play the audio CD and then install malware on a computer before doing so leaving the user in the dark.
A Better Solution - Signed Code
A far better solution would be to disallow autoplay for unsigned code and make the autoplay selection box clearer about what is going to happen to the end user. This has a number of benefits that the existing configuration as well as Microsoft's current solution to Windows 7 lacks including:
- Continued Functioning of Software - Users would be able to continue easily use their portable software and other legitimate software from their removable devices easily. All PortableApps.com software is digitally signed to ensure integrity and so users always know they have the real thing.
- Disabling Conficker - Since Conficker and similar malware won't be digitally signed, it won't autorun.
- Disabling Malware from CD/DVD - Any malware on CD/DVD that isn't digitally signed also wouldn't autorun.
- Remote Disabling of Malware - As the Sony malicious software fiasco demonstrated, bad software can come from a number of sources. Even if it were digitally signed, the digital signature could be remotely revoked as it is in the case of malicious drivers and other signed software. This infrastructure is already in place and has been used by Microsoft in the past. So, if Conficker was digitally signed (as it would have to be under this proposed solution), the signature could be remotely revoked, which would instantly cut off Conficker's means of spreading.
Under this proposed solution, signed apps would present themselves similarly to this:
We could even make it more clear by not allowing autorun.inf to set the text directly and instead displaying the EXE name to be run, similar to this:
Unsigned software would present a standard Windows Autoplay dialog with no option to directly run.
If Microsoft wished to preserve compatibility with older software on CD or DVD that had no signature, it could be displayed like this:
Microsoft's existing solution for autorun malware in Windows 7 is incomplete and continues to leave users exposed to certain types of malware via autorun while disabling useful functionality that millions of users use in connection with PortableApps.com and other portable software. The solution proposed above represents a much more complete solution which addresses past, present and future autorun malware while continuing to preserve useful functionality.