Engineering Windows 7

I like the fact that security is taking precedence here, but this can be bad in certain situations.  For example, I have a flashdrive running Portable Apps.  Because AutoRun is disabled, it will be much more difficult to launch the program.  The option to reenable AutoRun for removeable media should be able to be changed through the control panel, so those who actually know what they are doing can have ease of access as well as security.

Thanks, and I can't wait for the release of this awesome OS!

This is a good move, but unfortunately this won't cover those malware which deliberately use an icon that looks like a folder for their executable. Those cannot be differentiated from folders at a first glance, unless extension hiding is disabled. That also make the user "lost confidence and don't feel in control". Why not provide an option to disable silent code execution from removable drives (prompt before any executable can be run from a removable drive), with an user-managed whitelist to allow certain executables (verified by hash-checks) to bypass the prompting?

Or overlay all executables with a marker that identifies them as executable files.

5 may eh?

Isn't 7100 build was compiled few days ago? And the article dated april 27. So, I barely doubt any features after build7100 date will be included in RC.

Or, may be, it is just delayed articles, idk...

soumyasch: Ya man I agree with you. I wish Microsoft had done that. It would be really great even for a novice.

And this is another good move by Microsoft :)

Two comments here. First, where is the secure workaround to allow autoplay? We're providing a product to some clients who specifically want absolutely automatic and transparent install just by plugging in a USB stick. Admittedly, they're not running Win7, and the chance of them upgrading to it any time soon are nonexistent, but it doesn't change that in a couple of cases autoplay may pretty much be a necessity. So some option to sign the executable or similar, to allow autorun to work, please?

Second, a more personal annoyance. This means that most of the time, we will s the autoplay dialog pop up *with only one option*. So why show it at all? Why not just open Explorer directly, if that is the only option displayed anyway?

The alternative is clumsy, and looks unprofessional. It gives the impression that you never even thought about how to make this convenient for the user (which may be true, but shouldn't be)

I would have to agree with a few of the other posts on here.  This feels like a dodgy workaround for a deeper issue.  Simply not showing the autorun tasks in removable media doesn't really stop any infection, it just prolongs the process.  I like the ideas that Xepol had posted for more secure autorun actions.

Maybe you just need to provide us with a bit more detail on this method.  However, right now, I don't get any warm fuzzy feelings about what you just wrote.

On the whole, I think Microsoft is doing a wonderful job, but this area is deffinately lacking.

Autorun from portable devices has never been useful, don't listen to the short-minded asses here.

It's only matter of several minutes to write, say, lightweight shell service which will reintroduce this functionality better way for caring program vendors.

Manicmarc, a Microsoft app store would surely require signed code, which would become a $200-$500/year entry fee that would exclude a lot of software.

How about this idea; get rid of the feature. It is of no measurable benefit to anyone and is a massive security vulnerability that you could fly a 747 through.

If you want to install something - you have to manually open the cd and double click on the setup.exe file - something that most people are used to anyway so there is no loss by removing the feature in the first place.

limulus -> Break is perhaps an overstatement since you can manually run the app and some people already have the feature disabled anyways.

It will, however, degrade the end user experience.

Short-sighted move.  I've found autorun very useful for utilities I place on a USB drive.  For example, insert the USB drive, launch the portable TrueCrypt to auto-mount my secure volume.

Vista had a good practice of asking if you wanted to autorun. Disabling it totally will be annoying.  If you're going to disable it, at least give those of us who know what we're doing the option to go into Control Panels and turn it back on.

It worked with UAC: giving me the option to turn it off completely kept me from hurling my Vista PC out the window.  (Three separate UAC prompts to create a new folder in my start menu and move something into it kinda sent me over the edge.)  I turned off UAC and have no problems with malware. Autorun (especially with the "ask first") is not going to cause me problems either.

I was wondering what the requirements are for "Publisher not specified" vs. "Published by ..."

Microsoft tends to be somewhat inconsistent here, and it could be a healthy opportunity to revise the specs.

At different times (security warnings when running a local/online/blocked file, properties, etc.), the publisher name shown to the user is either taken from the digital signature, or from the resource (RC). This duality is not good, especially when the two strings are different.

Additionally, different requirements exist for what constitutes a "trusted" digital signature: for some parts of the Microsoft universe, only a Class 3 code signing certificate by providers such as VeriSign is good enough (e.g. for Winqual/logo purposes). For others, any signature will do (Thawte, Comodo, etc.)

As some have posted here, it would be good to at least demand that any executable code that is invoked by AutoRun be signed. I fully agree with that. As the dialogs indicate, the choice has already been made to expose a publisher name to the user, so this should IMHO come from the Authenticode information, and nowhere else (not from the simple file properties).

While agreeing to the signing requirements, I'd also have to add that this would not solve the issue of malware. Drivers also have to be signed, yet unsigned code can exploit a driver to invoke something else. While this is generally malicious, an AutoRun application usually does this by design, because AutoRun launchers such as MenuBox are there exactly to open a window and propose some options which include launching an installer, running an application from CD or USB, etc. USB itself is increasingly chosen as an application distribution medium (while standards are on the rise to trust the USB medium).

HTML Applications (HTA files) are another example, similar to an AutoRun launcher application. By design, Microsoft allows HTAs to be unsigned and to run executables. Which is great for AutoRun. Should we break this, only because of some new signature requirements? Even if you signed the first layer, the second layer (invoked by HTA or apps like MenuBox) would still not be subject to the same requirement.

My opinion is that at the very least, "Published by ..." should have information coming from Authenticode. If the application is unsigned, it should be marked as such. This is because you are providing this information to the user with respect to this specific application, and the information should be as accurate and trackable as possible.

For the rest, the issue is more complex than it may seem at first sight, and autoRun itself is not the (only) problem. IMHO, code signing should be a requirement for all executables, at least in an optional way, if you want to raise the bar for what may or may not run on a PC. So any user, home or corporate, could have a list of trusted application publishers, if desired, and the surface for malicious code management would be narrowed a lot. Code exploits and social engineering will always exist, but if all code were signed, from Windows system executables, to applications, management would be easier. Doing this in a "leaky" way will always favor the unpatched scenario, be that a USB key that looks like a CD drive to the system, or a second layer that is not subject to the restrictions of the first layer, like unsigned code run by signed code.

At the end of this, I just noticed that Windows 7 has a feature called "AppLocker", which I haven't seen yet. It may do what I was talking about, with respect to only allowing signed code with certain requirements to run. I hope that AutoRun and AppLocker will work hand in hand, giving the user the option to add a publisher that is "introduced" in an AutoRun context to the AppLocker list, without jumping through too many dialogs.

Just my two cents!

Mike

@ Arik Cohen:

That is very interesting. I wasn't aware of this functionality in those drives. To me it always looked like they are just standard USB drives.

I have to admit that the idea of emulating a CD drive for this purpose is amazing.

That's a good thing to disable this thing at all, that was a wide security whole. At present I fear each time someone want to plug a USB drive onto my computer, and most of the time there is some kind of malware. Autorun or Autoplay should never had existed.

To those who complain about it, it's not that difficult for the user to explore his drive and launch what he wants, only two clicks, are you so lazy ?

There still remains the kind of malware who hide the folders and create some executables files named accordingly to the hidden folders. For that, it would be nice to have a way to differentiate an executable file from the others !

This interferes with Ceedo. WHYYYYYYYYYYYYYYYYYYYY? I LOVE CEEDO!

This has been a part of Windows functionality for over a decade. While a few mal-ware proponents have taken liberty with Autoplay and Autorun functionality, many more actual customers and users have found it a boon.

I agree that security and having confidence in the Windows environment is paramount, however it just seems like you're "throwing out the baby with the bathwater" here.

The Dev Team sure is proud of their "deep insight" features, why not apply that same thinking to AutoPlay? In the dialog, add visual indicators regarding the validity (digital sig's anyone?) of the executables. Your illustration--with the red and green outlines--seems to be an excellent start; why not grow on that concept?

"Spoofs" are easy to detect, since they are mocking the appearance of the UI defaults... we don't even need WinDefender to check it, it's obvious because it's a copy-cat!

(Nodding to others in the thread) Regarding selective AutoPlay actions with respect to individual media; for anyone that works with more than 10 different removable drives in the course of a day, picking specific behavior for each drive could surely be a boon. Moreover, eliminating AutoPlay framework for removable/re-writable media would impact a significant portion of IT professionals that have crafted independent (sometimes ingenious) solutions around that framework.

AutoPlay was conjured-up in the age of the CD-ROM... well before the advent of flash-memory media. The problem has been that the AutoPlay framework "stood still" while a wave of removable media washed over the industry; today, there's just as much a chance that users will insert USB key drives or card-readers than a CD-ROM or DVD. AutoPlay should reflect that fact, as well as anticipate potential abuses.

Re-consider this move; have you really come all this way just to axe an idea that was introduced before its time?

I noticed that Internet Explorer 8 automatically checks the hashes of any file downloads, and can block potentially suspicious files. Would it be a better idea to have a similar implementation for the Auto-Play feature?

For me, it would be nice if there's an option to run anti-virus scan on autoplay.

There still remains the kind of malware who hide the folders and create some executables files named accordingly to the hidden folders. For that, it would be nice to have a way to differentiate an executable file from the others !

As limulus mentioned, it will break some software, like for instance a usb stick (with CDrom partition)which launches a screenreader for blind people. Under XP, when the user plugs the USB stick, the software is automagically launched without further action, so even a blind people can run it. Now, under W7, it will require the user to click a button... err remember, he's blind !

What do you suggest ?

We cannot require that his computer (potentially it could be a public computer) is preconfigured to "always run" the software from CD.

Great stuff.That sounds pretty cool. Really helpful thanks for the Article, Great job, hope we can expect more advanced....