It’s so easy. Install your virus or worm on a USB memory stick, set it to run automatically via AutoRun. An obvious security risk, and I’m surprised that Microsoft hasn’t already disabled the feature by default in a security update or service pack for XP or Vista.
The company is finally paying attention:
AutoRun entries on non-optical removable storage devices have been disabled to ensure that you are able to make a considered decision before running software from removable media such as USB drives. Worms sometimes attempt to use AutoRun as a vehicle to install malicious software onto your computer. CDs and DVDs, which are not subject to worm injection after manufacturing, will continue to expose the AutoRun choice to enable you to launch the specified software.
says the press release for Windows 7 RC. Personally I think it should apply the same logic at least to writable CDs and DVDs. I’ve disabled AutoRun on my PCs and don’t miss it. I agree though that USB sticks are the biggest risk today – though a little bit of social engineering will probably persuade many users to run a setup file on a USB stick anyway.
Related posts:
- Windows security and the UAC debate: Microsoft misses the point
- EU responds to questions on Microsoft’s plans for Windows 7
- Hands On with Microsoft Security Essentials – terrible name, but product looks good
- Windows 7 will build the global IT economy, says IDC/Microsoft, or will the Cloud kill it?
- New in Windows 7 RC: Windows XP Mode, Remote Media Streaming
Yes, USB sticks are the biggest risk, that’s why so many companies want to have DLP system
Seems to me that ms is forgetting that under vista dvds can be written as easily as usb pens