Microsoft cripples USB drive worms with new XP, Vista update

Adds optional download to Windows Update to disable AutoRun, feature abused by Conficker and Stuxnet to infect PCs

Microsoft yesterday started offering Windows XP and Vista users an optional update that disables AutoRun, a feature of the operating system that the notorious Conficker and Stuxnet worms used to infect millions of PCs.

The move, said Microsoft, was a response to malware's continued reliance on infection tactics that abuse AutoRun and AutoPlay, a pair of technologies that automatically launch executable files on removable media, especially USB flash drives.

Both Conficker , a worm that spread widely in early 2009, and Stuxnet , the worm that analysts suspect was developed to sabotage Iran's nuclear programs, used AutoRun and flash drives to infect Windows PCs.

Researchers believe that Stuxnet first infiltrated Iran's nuclear program through infected USB drives, then used that foothold to spread through networks to reach the machines that controlled uranium enrichment centrifuges.

In-the-wild malware continues to abuse AutoRun to compromise PCs, Microsoft said. Four of the top 10 malware families in the last quarter of 2010 use AutoRun, among other techniques, to spread. Those four families accounted for 41% of all successful infections in the last three months of 2010.

Others see AutoRun as a major threat, too. Last August, Panda Software said that 25% of all worms were designed to propagate through the handy drives.

Microsoft changed AutoRun's behavior in Windows 7 to block automatic execution of files on a USB drive, and backported that functionality to Windows XP and Vista with an update in August 2009. Users of XP and Vista, however, had to seek out and manually download that update from Microsoft's site.

With that change in place, flash drives inserted into a PC running XP or Vista users no longer offered the option to run programs; the AutoRun extinction did not affect CDs or DVDs -- what Microsoft calls "shiny media."

Yesterday's move makes it easier for XP and Vista users to retrieve and install the AutoRun deactivation update, since it now appears as an optional download in Windows Update and Windows Server Update Services (WSUS), the consumer and business update mechanisms, respectively.

Microsoft security spokesman Jerry Bryant said Tuesday that the more than year-and-a-half delay in pushing the AutoRun update to Windows Update was designed to give legitimate software vendors that used the feature time to recraft their programs.

Most have turned to the U3 specification -- a standard backed by SanDisk, a major maker of flash drives -- to automatically run their software from removable media.

Microsoft hopes that the update will better protect Windows machines, particularly those running XP, which have been harder hit by malware that uses AutoRun as one of several spreading strategies.

According to data gleaned from Microsoft's antivirus software, XP systems are more than 10 times more likely to become infected by malware that uses AutoRun than PCs running Windows 7.

"Although causative proof is difficult to quantify, it is quite possible that these figures reflect, at least in part, the improvements made to the security of AutoRun in Windows 7," said Holly Stewart, a senior program manager at the Microsoft Malware Protection Center (MMPC), in a post to the team's blog Tuesday.

The AutoRun change can be installed by selecting the "KB971029" update from the "Software, Optional" section of Windows Update in XP. The same update is listed in Vista's Windows Update panel under "Important" -- the same section devoted to Tuesday's patches -- but the KB971029 entry's box must be checked to add it to the download and install list.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityMicrosoftMalware and Vulnerabilities

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?