Hi! I'm Adam Shostack, a program manager working in TWC Security, and I'd like to talk a bit about today's AutoRun update. Normally, I post over on the SDL blog, but of late I've been doing a lot of work in classifying and quantifying how Windows computers get compromised. One thing that popped from that analysis was the proportion of infected machines with malware that uses Autorun to propagate.
You might note that that's a convoluted sentence, and I apologize. Why can't I just say "infected because of AutoRun?" Well, because we don't actually know that. Due to the nature of the problem, it's probably not possible to acquire great data on the number of attacks that succeed by misusing Autorun. What we know, and talked about in volume 9 of our Security Intelligence Report
last fall, is that a lot of malware uses Autorun as one of several propagation mechanisms. Because of the very real positive uses of Autorun, we didn't want to simply shut it off without a conversation. On the other hand, we believed action should be taken to shut down the misuse.
In April 2009 we delivered a very public message to the Windows ecosystem that we were changing the behavior of Autorun in ways that improved security. We blogged on the progress of that transition, posting "AutoRun changes in Windows 7
" in April 2009. In November 2009, we posted "AutoPlay Windows 7 behavior backported
" and we put out an update to do the same for older operating systems. We made that update available from the Download Center. That allowed anyone who wanted the update to seek it out and download it for themselves. Our partners expressed their concerns about that change, but by and large understood the reasons for it. Over the last few years, companies that needed the functionality incorporated U3 functionality into their devices. Others documented the change. Overall, the transition hasn't been simple, but it has worked.