Software Development and Software Outsourcing Reviews
Reading time: 4 — 6 minutes
Hello! I am Adam Shostack, a program manager working in TWC security, and I would like to talk a little about today’s AutoRun update. Normally I post on the SDL blog, but of late I have done a lot of work in the classification and quantifying how Windows computers get compromised. One thing that came from this analysis, the percentage of infected machines with malware using Autorun to propagate.
You may notice that it is a convoluted sentence and I apologize. Why can’t I just say “infected because of AutoRun?” Well, because we do not actually know that. Due to the nature of the problem, it is probably not possible to acquire a great deal of data about the number of attacks that will succeed by misusing Autorun. What we know, and talked about in volume 9 of our Security Intelligence report last fall that a lot of malware using Autorun as one of several propagation mechanisms. Because of the very real positive uses of Autorun will we not just to turn it off without a conversation. We trøde on the other hand, steps must be taken to close the abuse.
In April 2009 we delivered a very public message on the Windows ecosystem that we change behavior for Autorun in ways, such as improved security. We Blogged about the progress of this transition, posting “AutoRun changes in Windows 7″ in April 2009. In November 2009, we posted “AutoPlay Windows 7 behavior backported” and we put out an update to do the same with older operating systems. We made this update is available from the Download Center. Be allowed whom you want to update to search it and download it yourself. Our partners expressed their concern about the change, but understood the major reasons for it. In the last few years incorporated companies necessary for the functionality U3 functionality in their devices. Other documented change. Overall, the transition is not simple, but it has worked.
Today we take another important step to protect our customers. We put the existing update in Windows Update channel. This change has three important consequences:
We provide the existing update to many more machines;We make it easier to deploy via WSUS;We help these organisations as a question of their policy, only broadly deploy updates in WU.
We are marking this as an “important non-security update”. It may seem a little strange to call this a “non-security update”, especially as we provide it together with our February bulletins. But at Microsoft we are reserving the term “security update” is defined as “a broadly released fix for a product-specific security vulnerability.” And it would be odd to refer to Autorun as a vulnerability. The term is generally used, and we use it, means accidental functionality that allows a person to violate the security of the system. But Autorun is not an accident–it is by design, and as mentioned we care about the very real positive uses of the function. In other words, in a very real sense, it is not an error, it is a feature and we documented it as such.
Nor is it a security update because security updates are designed to solve a problem and all known variants. There are more problematic when the “problem” is a function that is used as intended, and so this update will not switch off the function entirely. It affects, for example, not “shiny media” such as CDs or DVDs containing the Autorun files. We are aware that someone could write malware to take advantage of it, but we have not seen it in the wild. (We also believe malware on Shiny Media would be less likely to have widespread impact, because people burn CDs less often than Insert the USB drive.)
Based on what we’ve learned in the last 22 months and shared in the SIR, now is the right time to bring this update to a broad audience. (MMPC blog today has additional insight into this aspect of this update). At the same time, that we are aware that some customers prefer existing Autorun functionality and to reverse the effects. Then we have a Fix available that achieve that.
Change the behavior of a running system is never a trivial thing, and we take it very seriously. It would be a bad result for people to think they can do a you distribution between security and something else. Updates to protect against vulnerabilities is an important part of keep a system secure. We had to be very sure that this change was the right balance for most people.
Adam