You are here

Portable Devices, Autorun and You.

Ryan McCue's picture
Submitted by Ryan McCue on December 3, 2008 - 8:28am

As you may have noticed, we get a lot of talk from users here on PortableApps.com wondering why they get this box popping up when they plug their USB drives into the computer. The users simply expect the menu to come up without having to do anything else. As they say, if U3 can do it, why can't we?

The reason behind autorun being disabled is an extremely valid one: security. Some users argue that simply autorunning a piece of software can't do anything bad to their system. Well, let's take a look at a type of virus that has been around for quite a while: the boot sector virus.

The boot sector virus is a particularly nasty virus, in that simply having an infected floppy disk in the computer at startup will cause your computer to be infected. The virus infects the computer by relying on the fact that at startup, a floppy disk drive is usually higher in the boot order and therefore will be run. This virus can damage your computer extensively as it affects the boot sectors and can cause the system to fail to recognise hard drives or delete data from partitions.

The boot sector virus especially relates to autorun from portable devices, as the protections against autorunning were put in place to stop this happening. If the protection against this was not in place, viruses could begin infecting computers as soon as a device is connected to a system. However, CDs still had autorun enabled on most systems, as these were impossible for viruses to infect with a CD-R. And thus, all was well...

...until U3 came along. U3 knew that there was no way for a USB device to have autorun capacity for security reasons, so they deliberately exploited the fact that CDs still had autorun enabled. Using this knowledge, they created hardware to fake a CD partition on their drives. This supposedly unwritable partition was safe enough to be run, as it contained software directly from the manufacturer on an unwritable partition of the drive. As we later found out, this CD partition is actually writable and can be written to easily. (Note: PortableApps.com and myself take no responsibility for the content of links)

In these hacks, the fact that U3 fakes a CD drive is exploited to allow code to run without explicit user permission. It is for this reason and others that CD autorun should not be allowed. The way U3 handles autorun is also bad form, as it tricks the system.

Our software here at PortableApps.com is just that: software. We don't exploit system weaknesses such as this, as 1) it's impossible without hardward modifications; and 2) it would be bad form to do so. I hope this cleared up exactly why U3 autorun works without a dialog and why it's not a good idea.

Comments

Kevin Porter's picture

Excellent post, Ryan. I doubt this will help a whole bunch, but still, great job. Blum

"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." - Rick Cook

And thus, all was well...
...until U3 came along.

Not true, all was (seemingly) well until Sony(r)(tm)(c) came along
and "exploited" autoinfect to install... A root-kit !
You can't really blame U3 for anything, they just use a totally idiotic but "user-friendly" feature micr0$0ft in their eternal wisdom decided to build in to the OS .
U3 doesn't "handle" anything related to autorun, it's the stupid OS and like most other security-flaws in windows the problem is caused by micr0$0ft !
The real problem isn't the CD-ROM or the auto-execution, it's the fact that you
can connect any external media to the host and execute programs from it with whatever rights the account grants you.
On most XP home-systems that will be admin-rights ..
Scipt-kiddies aren't so stupid that they can't start their crap-ware manually !

What people should do if they insist on having autorun on their own computer(s)
is to disable the windows autorun/play handler and install something like Uwe Sieber's "USB Drive Letter Manager" instead as it only allows identified white-listed devices to perform autorun .
If anybody knows of an open-source alternative ..

Besides, there are 100% valid and useful reasons to have a CD-ROM in your pocket :
It allows you to have your applications on a read-only medium, virtually impossible for anything to infect .

Ryan McCue's picture

The fact that U3 deliberately exploited the fact that CDs were autorun while USBs weren't is the fact I was trying to point out.

"If you're not part of the solution, you're part of the precipitate."

i have a U3 drive wich i have put Portableapps on it sometimes it so anoying. and the up date for the U3 launcher has to reformat the drive wich is a pain in the ass every single time so i havent updated it scince i brought it

Life Goes Slowly but it Go's