| By Mark Joseph Edwards |
The worst kind of security bug is one that Microsoft probably won’t be fixing any time soon.
This week, I tell you about an annoying security problem in which Windows Vista fails to disable its AutoRun and AutoPlay features, even though you think you’ve got these two security risks under control.
Vista AutoRun might leave your systems vulnerable
According to an advisory published by US-CERT, Vista might not truly disable its AutoRun and AutoPlay features when you configure the operating system to do so. Those features kick into action whenever you insert a CD or DVD.
On a typical system, if a CD, a DVD, or a U3-enabled USB drive includes an AutoRun file — or can be detected by Vista as AutoPlay media — Vista automatically launches a corresponding application to view or play the media. That behavior can pose a serious security problem if you insert a medium that contains malware.
To protect against that possibility, Microsoft provides ways to disable AutoRun and AutoPlay for various devices. However, according to the US-CERT advisory, “Windows Vista may [leave] some AutoPlay enabled, even though the Group Policy Editor and associated registry values indicate otherwise.” This, of course, means that an attack would still be possible.
As far as I know, Microsoft has not issued any kind of patch for this problem. Worse, I’m not even sure that the company will issue a patch. (AutoRun and AutoPlay are considered important and desirable features.)