Windows 7 beta affected by Vista viruses

As Microsoft diligently prepares to launch Windows 7 it will be working hard to fix all the holes in the OS before its launch; one hole that has yet to be fixed is an exploit using the auto play feature for USB drives.

The Register reports the exploit works by creating a malicious autorun.inf file and loading it onto a USB peripheral. When a user accesses the auto play menu it may appear that they are only opening a folder on the USB device when they are actually installing malicious software on their computer.

This exploit currently works on both Windows Vista and Windows 7 beta. Microsoft is still developing Windows 7 so there is a good probability that this hole will be patched when the OS launches sometime later this year.

Report a problem with article
Previous Story

BurnAware Free for Windows 7

Next Story

All major Canadian ISPs throttling P2P

30 Comments

Commenting is disabled on this article.

This isn't an exploit. This is phising, and has everything to do with exploiting the user, not the operating system.

Honestly, this article is a joke and a poor Microsoft bashing attempt. If you want to make this article seem like anything less of a joke, you can start by renaming it "How to avoid being duped by a fake autorun program."

There's nothing wrong with Autorun. It allows the display of a program's name and icon on purpose, so that software can display their own program launchers. That program can choose to display any name and icon it wants, including a folder icon and the name "Open Folder" if it wanted to mislead the user. However, a program CANNOT alter its own application subtitle, it cannot remove the already-default "Open Folder" option from the context menu, and it also cannot bypass the UAC prompt. This method is an attempt to exploit the ignorance of the user, NOT the operating system.

Besides the point that the article is making, shouldn't 7 suffer from very similar problems as Vista since they are very similar?

article title is kinda stupid and misleading. also, I did insert some CD's and USB's with malicious autorun.inf and you know what? nothing happened to windows 7. however I understand that this is matter of what kind of virus is trying to run, but again, doesn't UAC designed to prevent running malicious software?

UAC was designed to limit administrative rights to applications the user wants to have them. If a user WANTS to give administrative rights to a suspect app... it's not UAC's fault. it confirmed that's what they wanted.

You've gotta read more carefully...

The article is saying that "it may appear that they are only opening a folder on the USB device when they are actually installing malicious software." We all know that if we ask autoplay to run a program from the flash drive it could be a virus. But with this exploit you could be choosing the "Open folder to view files" option from autoplay and still be running a virus.

This could be fixed by making it obvious which autoplay options are the "safe" default Windows options like Open folder, Play video, Import pictures, etc. And warning users when they're choosing an autoplay option that was added by the autorun.inf file on the media itself.

As far as I can tell they named the application "Open folder to view files" or whatever. Perhaps there is some more mitigation that can be done to prevent this kind of social engineering / spoofing, but it is really along the same lines as getting an e-mail telling you the attachment is an important update you must install.

The dialog even says "Install or run program" - and has another "Open folder to view files" option under the "General Options" section. These should be decent clues to careful users, at least.

Can we please change the title of this article to something more meaningful? The article talks about social engineering and autoplay....

Digix said,
Like floppy disk worms, the anti virus is user knowing what's on the USB stick first.


Best comment thus far.

The exploit isn't the virus, correct. However the exploit can then be used to install a Virus. Also spinning this story to make it seem like a vulnerability in Windows 7 is wrong. It's a vulnerability in the concept of autorun, nothing more.

Whilst autoplay can be comprimised, retaining the ability "to autoplay" means it will always be exploitable - the only way to prevent against it, is by turning off autoplay, or removing autorun.ini files.

Calling this a virus is like saying sometimes when opening a .exe file it could be secretly installing something else, its just the very nature of how it works. I think its unpatchable - but an alternative means of "autoplaying" could be created.

Well, it is a virus. It's just a run-of-the-mill trojan horse. It's not very interesting because there are thousands of these kind of viruses and the only real defense against it consists of due diligence with regard to what you run / connect to your machine, and using virus scanning software.

You mean like not fooling for those Windows Live Messenger Viruses, or e-mail screensavers which require user action. Oh but what if we legitimately need to send our boss an exe or screen saver.

smithy_dll said,
You mean like not fooling for those Windows Live Messenger Viruses, or e-mail screensavers which require user action. Oh but what if we legitimately need to send our boss an exe or screen saver.

You zip or rar it, send it, he reverses the process. They even made a nifty right click file > zip/rar function around XP time.

Click start->Default Programs -> Click on change Auto play settings -> Uncheck Use AutoPaly for all media and devices

Hardly surprising. What exactly can they do to stop this other than to disable autoplay entirely? How is Windows to know which EXE file on a USB drive is legit and which isn't?

Indeed, this is kind of silly. It isn't like this is using a security vulnerability or anything, the user is actively choosing to run arbitrary code from an untrusted device.

Autoplay has gotten better. By default instead of blindly running the EXE it asks the user what he wants to do. If you the CD/USB device is from a trusted source you run it, otherwise do a virus scan first or don't run it at all.

I guess what they are saying is that the autoplay icon could be an icon of a file folder, but the description would still say "Run Whatever.EXE" so I don't see the problem. This is the kind of thing real-time virus protection is for, which by the way is rumored to be included for free with the Windows Live Pack once Windows 7 comes out!

Erm, with all the UAC in Vista I'm surprised to it doesn't ask you to double check that it's "okay to launch" first? Unless it does?