This is from WINDOWS SECRETS. I'm just passing along information.

Disabling AutoRun still leaves you open to attack

By Mark Joseph Edwards (Windows Secrets staff writer)

The worst kind of security bug is one that Microsoft probably won't be fixing any time soon.

This week, I tell you about an annoying security problem in which Windows Vista fails to disable its AutoRun and AutoPlay features, even though you think you've got these two security risks under control.


According to an advisory published by US-CERT, Vista might not truly disable its AutoRun and AutoPlay features when you configure the operating system to do so. Those features kick into action whenever you insert a CD or DVD.

On a typical system, if a CD, a DVD, or a U3-enabled USB drive includes an AutoRun file — or can be detected by Vista as AutoPlay media — Vista automatically launches a corresponding application to view or play the media. That behavior can pose a serious security problem if you insert a medium that contains malware.

To protect against that possibility, Microsoft provides ways to disable AutoRun and AutoPlay for various devices. However, according to the US-CERT advisory, "Windows Vista may [leave] some AutoPlay enabled, even though the Group Policy Editor and associated registry values indicate otherwise." This, of course, means that an attack would still be possible.

As far as I know, Microsoft has not issued any kind of patch for this problem. Worse, I'm not even sure that the company will issue a patch. (AutoRun and AutoPlay are considered important and desirable features.)

US-CERT's advisory, however, does offer some information that might help you reduce your vulnerability. One workaround involves creating a .reg file and loading it into the Windows Registry. I consider the other workarounds that are listed by US-CERT to be problematic and less reliable.

Windows Secrets associate editor Scott Dunn warned last year about the problem with AutoRun appearing to be disabled (in both Vista and XP) but actually still allowing attacks. He prescribed exactly the same .reg workaround that US-CERT is now proposing, but he provided far greater detail. See Scott's Nov. 8, 2007, column for the complete story.

To read US-CERT's analysis, see its vulnerability note 889747.

Just thought you might want to know.
Try this link,it explains various problems http://www.kb.cert.org/vuls/id/889747

I can verify this is definitely the case with WinXP Pro and XP Home up to current service packs. I have disabled autorun multiple times on several machines, including using registry hacks to do so.

After doing so, I have tested the machines with multiple devices and media, and always verified the autorun "feature" was 100% disabled.

Invariably after some amount of time has passed (days/weeks) the autorun "feature" is somehow mysteriously restored on 100% of the machines (I don't use auto-update so that's not causing the change, restore points weren't used, and I closely monitor what's happening on these machines)

As yet I have found no explanation for this behavior.

I hate Autorun. Since I've had my very first PC, I disabled it. It p**ses me off.

Funnily, I dont have this issue with my Vista install.

I have it disabled, so any 'autoplay' type media inserted, merely invokes the pop up box asking me what I would like to do (i.e play, open folder to view files, open in program x etc)

DublinGunner said:
Ideally, it doesn't even do that when it's totally disabled. Windows itself should require no user action whatsoever, nor should it display anything like popping-up a passive Explorer window.


However, even with auto-scanning anti-malware software installed, when a medium is inserted it should also do nothing (as far as the user is concerned) unless a security problem is detected or it makes the user or an application wait until a security scan is completed. Ideally the user would have the option to either display or not display a message when an automated scan is underway.


edit to add--
Re my prior post on this, I initially did think security software was contributing to the noted eventual re-activating of the auto-play "feature", but using "regmon" I did not find any evidence this was the actual cause.

I always disable autorun ... I don't think I've seen it come back on it's own. :-X

One thing I also do is, even when you have autorun disabled, double-clicking a mounted CD with autorun features will start the autorun program ... bit of a mouthful ... what I mean is, it doesn't start when you pop the disc in, it starts when you try to explore the drive -- a, "manual autorun," if that makes any sense.

What I do to fix that is find the autorun item for the drive in question in the MountPoints2 key in the registry, remove it, and then make those keys read-only, so the next time I pop in a disc, autorun can't add itself to a drives context menu, and double-clicking the drive takes me straight to an Explorer view.