Deeper insight into the Security Advisory 967940 update


Extraordinary Robot
News Feed
Hi! I'm Adam Shostack,a program manager working in TWC Security, and I'd like to talk a bit abouttoday's AutoRun update. Normally, I post over on the SDL blog, but oflate I've been doing a lot of work in classifying and quantifying how Windowscomputers get compromised. One thingthat popped from that analysis was the proportion of infected machines withmalware that uses Autorun to propagate.

You might note that that's a convoluted sentence, and Iapologize. Why can't I just say"infected because of AutoRun?" Well, becausewe don't actually know that. Due to thenature of the problem, it's probably not possible to acquire great data on thenumber of attacks that succeed by misusing Autorun. What we know, and talked about in volume 9of our SecurityIntelligence Report last fall, is that a lot of malware uses Autorun as oneof several propagation mechanisms. Because of the very real positive uses of Autorun, we didn't want tosimply shut it off without a conversation. On the other hand, we believedaction should be taken to shut down the misuse.

In April 2009 we delivered a very public message to theWindows ecosystem that we were changing the behavior of Autorun in ways thatimproved security. We blogged on theprogress of that transition, posting "AutoRunchanges in Windows 7" in April 2009. In November 2009, we posted "AutoPlay Windows 7 behavior backported" and we put out an update to do thesame for older operating systems. We made that update available from theDownload Center. That allowed anyone who wanted the update to seek it out and downloadit for themselves. Our partners expressed their concerns about that change, butby and large understood the reasons for it. Over the last few years, companies that needed the functionalityincorporated U3 functionality into their devices. Others documented the change. Overall, the transition hasn't been simple,but it has worked.

Today we are taking another important step to protect ourcustomers. We're putting the existing update into the Windows Update channel. This change has three important effects:

  • We deliver the existing update to many more machines;
  • We make it easier to deploy via WSUS;
  • We help those organizations that, as a matter oftheir policy, only widely deploy updates that are in WU.
We're marking this as an "Important, non-securityupdate." It may seem a little odd tocall this a "non-security update," especially since we're delivering italongside our February bulletins. But atMicrosoft we reserve the term "Security Update" to mean "a broadly released fixfor a product-specific security-related vulnerability." And it would be odd to refer to Autorun as a vulnerability. That term is generally used, and we use it,to mean accidental functionality that allows someone to violate the security ofthe system. But Autorun isn't an accident-- it's by design, and as I mentioned we care about the very real positive usesof the feature. In other words, in a very real sense, it's not a bug, it's afeature, and we documented it as such.

It's also not a security update because security updates areintended to fix a problem and all known variants. That'smore problematic when the "problem" is a feature that's being used as intended,and so this update does not turn off the feature entirely. For example, it does not impact "shiny media"such as CDs or DVDs that contain Autorun files. We are aware that someone couldwrite malware to take advantage of that, but we haven't seen it in the wild.(We also think malware on shiny media would be less likely to have widespreadimpact, because people burn CDs less often than they insert USB drives.)

Based on what we've learned over the last 22 months andshared in the SIR, now is the right time to bring this update to a wideaudience. (The MMPC blog today has further insight into that aspect of this update.) At the same time, we're aware that somecustomers prefer the existing Autorun functionality and will want to reversethe effects. So we have a Fix Itavailable that accomplishesthat.

Changing behavior for a running system is never a trivial thing,and we take it incredibly seriously. Itwould be a bad outcome for people to think they have to make a tradeoff betweensecurity and anything else. Updates toprotect against vulnerabilities are an important part of keeping a systemsecure. We had to be very confident thatthis change was the right balance for most people.



This website is not affiliated, owned, or endorsed by Microsoft Corporation. It is a member of the Microsoft Partner Program.