Autorun and Windows 7.
Long time readers know that I think autorun was Microsoft’s longest unpatched vulnerability. For Windows 7 Microsoft has made some serious improvements, but for older versions of Windows Microsoft has ignored the obvious vulnerability and only offered the patch as an optional download instead of making it a critical update, as every security expert in the world knows it is. I provided download links for other versions of Windows in the post here.
Technically, this doesn’t fix autorun, it changes the behavior to make it far less dangerous. In this other post I provide information about actually disabling autorun in some older versions of Windows.
Recently I have received some requests about how to eliminate autorun in Windows 7. Windows 7 actually calls it autoplay and the controls for it are in the control panel under hardware and sound. You’ll find Autoplay there.
Below is a picture of the controls:
The most important entry is for “Software and Programs” which is the stuff that uses the traditional autorun functionality. As you can see, you can control how autoplay responds to a variety of devices, but the safest option is “take no action” for everything. Yes, this means that when you put an audio CD in your computer you will have to learn how to start the music. When you put a DVD in, you have to learn how to play a movie. Learning is not such a bad thing.
Do I think it is really dangerous to let an audio CD play music automatically? No, it is a relatively safe thing to allow, but it is not completely without risk. The same goes for movies, pictures, audio, and video files.
Rather than selecting “take no action”, “Ask me every time” can be a reasonable approach, as long as you DO NOT automatically chose “Run” or “Play” without thinking about what prompted it.
For Software and Games, and Mixed Content, I highly recommend the “take no action setting”.
Director of Technical Education
Author ESET Research, We Live Security