AutoRun is a feature Microsoft includes in Windows as an enhancement to the user experience, but it is hardly perfect. Parties both shady and outright malicious have subverted AutoRun to execute code without input from the user. To make matters worse, US-CERT recently found that the instructions MS had published for disabling AutoRun were ineffective.


I’ve written about the Windows AutoRun feature before and also about the U3-enabled flash drive, a product that takes advantage of AutoRun. Microsoft includes AutoRun to make life easier for users. People appreciate that their computer will open volumes and play CDs automatically when they are inserted. Unfortunately, since AutoRun can be directed to execute any code included on a disk, it has developed into a significant security risk as well.

Microsoft eventually published instructions for disabling AutoRun on its Windows Technet support site. It was the only responsible thing to do after malicious code started to appear that exploited the feature. Unfortunately, as US-CERT announced on Tuesday, Microsoft’s instructions were wrong.

I’ve mentioned US-CERT before as well. Department of Homeland Security’s cyber watchdog unit found that the registry changes that Microsoft recommended (and that I reprinted in my post) didn’t work as advertised. Our friends in Redmond have responded to US-CERT’s findings and released new instructions for anyone who wants to make sure AutoRun is disabled. You can choose to follow Microsoft’s fix or use CERT’s homegrown registry edit to solve the problem. Be aware though, while Vista and Server 2008 users will have Microsoft’s patch applied as part of their regular security updates, users of Windows 2000, XP, and Server 2003 will have to apply a fix manually.

I feel like the issues around AutoRun sum up the trade-offs that support pros have to make every day. As the “face” of the IT department, we’re caught between facilitating the user experience and implementing the business’s need for security and stability. If AutoRun is a liability on your network, at least now you can be sure it is finally disabled.