http://news.cnet.com/8301-1009_3-10229540-83.html
Looks like even our method of showing an entry in the AutoPlay window (via Action=) is going to stop working in Windows 7 RC1...
[Topic clarified by mod Tim]
was: Heads up, guys
New: DesktopSnowOK (Jan 6, 2025), Platform 29.5.3 (Jun 27, 2024)
1,100+ portable packages, 1.1 billion downloads
No Ads!, Please donate today
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on BlueSky
Follow us on Facebook
Follow us on LinkedIn
Follow us on Mastodon
Follow us on Twitter
While this may be an annoyance, I don't see it as a big issue. I know I've been dealing with that at work forever. We have autorun denied by Group Policy, so I just go into the drive and Start PA from the root.
Well, that's a bit annoying. They could have at least left it enabled for digitally signed EXEs. Wish I knew who to talk to to suggest that.
Sometimes, the impossible can become possible, if you're awesome!
you look at the actual blog post here, there is a contact form in the top right.
Edit: Actually Stephen Sinofsky gives out his email address here: http://blogs.msdn.com/e7/archive/2008/08/14/welcome.aspx might be a better bet as he is a senior VP
Sorry, but:
)
Just the idea of some arbitrary app having the right to run because you insert a removable media is moronic.M$ should go to prison for enabling auto-infect..
(It does however create a lot of spin-off jobs
Get your facts right first. NOTHING from a USB drive can AutoRun like from a CD, meaning it can't actually run the program when you instert the drive. What they are talking about is the AutoPlay *menu*. Malicious programs alter the AutoPlay menu entries to *look* like the default Microsoft ones, but they really run the malware. It STILL REQUIRES the user to actually click the menu entry.
U3 drives allow true AutoRun via their CDROM partition, which will still be allowed in Win7.
I was surprised to find that this statement, which makes sense, isn't entirely accurate.
When I upgraded to Vista a few weeks back, when I first put my flash drive in, it asked if I wanted to repair it. I said no - and it launched the PortableApps.com Platform. This annoyed me because I had Firefox and Notepad++ set to autorun from the menu, and that Firefox was set up for the proxy at work, so it failed to connect to anything. All I'd wanted to do was to copy some files, but it ran the platform.
Next time I put it in, I chose to scan it. Following the scan, it ran the Platform.
I found out where to disable it (to make it ask what to do) but mine was set to run the default program on removable media.
My drive isn't U3. This was a Corsair Readout 4GB running PortableApps.com Platform 1.6 RC 0.
That means that somewhere along the line, either you told AutoPlay to always perform the "Run" action (there's a checkbox in the AutoPlay window for this) or your OEM did it. Because I can say from experience that the default setting in Vista is to prompt...
Exactly ^^^^
I have my facts straight on this : This new behaviour won't really change anything,
the difference between one click or none is a non-issue ..
Sony et al still need a way to install their rootkits, M$ has a share in U3 or
whatever they end up calling it and people INSIST on having autorun, even when you demonstrate the danger to them by inserting your hacksaw in their machine .
Recently a windows security-update enabled REAL disabling of autorun (& auto-play, it's not the same), M$ took quite some heat for it because it also screwed up context-menus etc etc ..
The many posts here demanding "do-nothing-at-all" autorun kinda proves this, no ?
Besides, U3-drives are not the only UFD's with CD-ROM capabilities, most modern controllers are multi-lun capable and the majority of them can do the CD-ROM trick .
Maybe this could even get people to run their apps off the CD-ROM on UFD's with that feature, it's the only right way to do it on public/dubious computers ..
Or maybe M$ will start using the "hidden cookie" function on sandisks U3-controllers
so only M$-approved apps will be allowed .
Hopefully, like in the case of the UAC flaw, the users' opinion will be heard by Microsoft and they will reconsider this. Anyway, I bet someone will make a patch for this...
Artificial intelligence stands no chance against natural stupidity!
Hey guys, remember the topic complaining about the wasted space in the lower right corner of the menu? Here's a great idea that should solve the problem.
Step back one. You have a Windows 7 machine and Autorun is disabled. (Hypothetical situation in which Windows 7 and "the new PortableApps.com Platform" are out.) That's the fact we're facing, right? So you're going to have to go into Computer, then the flash drive, and run StartPortableApps.exe manually at least once.
Menu loads. You've just wasted a few more clicks and seconds than usual. But your menu's up now. Now in the lower right corner, below Help, you see a display which shows the date and time, version of the platform, and the word "Autorun" followed by a red light. You click on the red light. It says "Autorun is currently disabled on this machine. If you have admin rights you can enable it. [Click here] to read about the dangers of enabling Autorun. Enable Autorun? [Yes] [No]". Click Here takes you to a help file here discussing the issue. And, also and to be fair, if the light is green, you can click it to disable Autorun.
I know one of the Big Rules is that admin access should never be required and you don't want to modify the host system, but what are you going to do? It's either that, or we just accept that autorun isn't an option and tell people how to access the menu.
Another, slightly less controversial option would be to replace the Autorun button (keep the date/time/version - that's a good idea) with a launcher installer. Clicking this would bring up a Save As dialog box where you could choose where to drop the launcher. The launcher, upon running, would search removable disks for StartPortableApps.exe in the root, and launch it (or, if it finds more than one, ask which).
Either way...
A far better solution would be to only allow autorun of signed code. That way it can be remotely disabled if any malware is released. I've detailed a full solution:
http://johnhaller.com/jh/useful_stuff/windows_7_autoplay/
Sometimes, the impossible can become possible, if you're awesome!
Nice, but while I agree completely with your blog post (and good job reminding everyone about Sony - I still don't trust 'em and that's one of the main reasons I have an Xbox 360, not a PlayStation 3, and a Nintendo DS, not a PSP), I don't entirely trust signed code as a solution either.
Speaking of the Xbox 360, software must be digitally signed by Microsoft to run. You can't run just anything up there, even if you got your hands on an SDK and built an app. You'd have to send it to Microsoft and have them put it on their special discs. But they've put out a few things you can download and burn to a disc or put on a flash drive. One of their major updates was done this way for people without Xbox Live, and the more recent "New Xbox Live Experience" (NXE) as well.
Shortly after NXE hit the web, people began posting it all over the web. What they didn't tell anybody was that the code was really only meant for Microsoft employees. So while it will run on any Xbox 360, when you go to get online, it sees that the Xbox isn't on the whitelist - and doesn't grant you access, even if you've paid for the Gold level of service. Whoops. Oh, and they didn't bother including an uninstaller, so a lot of people were stuck offline for 2-3 weeks until they removed the restriction.
Things like that aren't supposed to happen on video game consoles. Consoles are more like computers with each generation, and both generations of Xbox consoles really are nothing but computers with custom cases and a few hacks to ensure you can't, say, install Windows on them, let alone catch a virus. Digital signatures are a big part of that; yet, an update signed by Microsoft left a bunch of people in the dark, and they really had no way of fixing it - the answer was "you just have to wait until November 19". That wouldn't fly with Windows users. What would happen if a digitally signed update for Windows rendered a Windows PC unable to use any networking for three whole weeks unless they were employed by Microsoft? I don't know, myself, but I guarantee you it would be ugly. Just ask Sony. I would rather deal with their rootkit than be cut off from the web for 3 weeks.
Long story short, digital signatures and trusted computing is a great idea on paper, but when bad code gets trusted, it becomes a problem. And Microsoft writes too much bad code. They even charge for it. (I'm not anti-Microsoft per se, but between Windows ME and Vista and numerous other snafus and shortcomings, I don't really have to be.)
Actually I disabled autorun completely
Because I use usb devices all the time, ipod, windows mobile phone, card reader... The scan file procedure is really annoying! I don't need a menu to ask me if I want to start media player only because it discovered several mp3 files in my cellphone. No thank you, I already have itune and activesync to do the right thing with the right device.