Microsoft Kills Dangerous USB Autorun Feature

/ Source: SecurityNewsDaily

Microsoft rolled out a hefty batch of security updates yesterday (Feb. 8), addressing flaws in Windows and Internet Explorer. The company also made an important change to its automatic program-starting feature, Autorun, that security experts believe will help decrease the spread of malware through infected USB drives.

In 12 security bulletins, Microsoft tackled 22 security flaws, including several Windows bugs and an Internet Explorer flaw that has been lurking in the browser since early December. A dangerous bug in Microsoft’s graphics rendering engine was fixed, as was a hole that could allow hackers to exploit a Windows system by creating a malicious font.

Microsoft also took this opportunity to issue an important update to its Autorun feature – a technology that automatically starts a program when a USB stick or CD is inserted into a Windows PC.

Users can now disable Autorun, meaning when they insert a USB drive, the computer will not take any immediate action. Disabling Autorun cuts off a vector often used in cyberattacks, security experts say.

Autorun “may sound like a neat idea, but a lot of malware (the Conficker worm would be perhaps the most infamous example) has exploited the technology to infect computers via USB sticks in the past,” read a Sophos blog.

All of Microsoft’s security fixes, including the Autorun update, can be downloaded through Windows Update.

Adobe got into the update game as well, issuing security updates to fix dozens of critical vulnerabilities, including 13 flaws in Flash, 29 in Reader and 21 in its Shockwave Player.

Users can download the updated software by choosing “Check for Updates” in their Web browser’s Help menu.