Microsoft have released a security update which affects all their operating systems from 2000 to Vista; but they only offer it to Vista and Server 2008 users. Is this a forerunner of a return to the old days of the secret update?

An alert has recently been issued by The National Cyber Alert System of US-CERT (part of the Department of Homeland Security): Flaws in Microsoft Windows’ AutoRun functionality.

AutoRun is a feature of Windows that automatically reads the contents of mapped drives. These mapped drives could be anything: An optical drive, a network share, a USB stick, a memory-card reader, an external hard-drive…

You’ll notice probably that if you insert a CD into the optical drive, the first thing that happens is that it is recognised by the operating system, and AutoRun reads its contents. If that CD should contain malware then that is also read and it instantly infects the system in a lot of cases. – Malware is designed to do just that usually.

The advisory states that the AutoRun and NoDriveTypeAutorun registry values don’t work as advertised in Microsoft’s literature. Even setting the NoDriveTypeAutorun registry value to 0xFF can still result in problems.

There is, however, a fix: -

Microsoft has provided support document KB953252, which describes how to correct the problem of NoDriveTypeAutoRun registry value enforcement. After the update is installed, Windows will obey the NoDriveTypeAutorun registry value. Note that this fix has been released via Microsoft Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin.

Windows 2000, XP, and Server 2003 users must install the update manually.

Tests have shown that installing this update and setting the NoDriveTypeAutoRun registry value to 0xFF will disable AutoRun.

- Unless Server 2003, XP, and 2000 users know about it, how will they know about it?

Do Microsoft think that only Vista and Server 2008 customers are likely to be compromised via AutoRun? Clearly not. – So why only offer the update to the 2 groups containing users of the latest of their operating systems only? Suspicions would lead one to believe that Microsoft are being favouritistic towards users of the operating systems they’re pushing.

So Microsoft are guilty of favouritism; but on the other side of the coin they’re also guilty of stopping users of older operating systems from installing an important update which will protect their computers.

Having said that though, not even all Vista and Server 2008 customers are competent when it comes to editing the registry. (I myself try to avoid doing so if at all possible.)

In the light of the above; wouldn’t it have been better for Microsoft to include the registry fix in their update; therefore setting the AutoRun-related key to 0xFF by default, and then to make the update available across the board to all customers via Microsoft Update?

This is a rather bad case of Microsoft inefficiency in combating malware attacks. It’s been badly handled without any real foresight whatsoever. In fact it’s reminiscent of a return to the old days where Microsoft would publish a security update and wait until and if the customer discovered it and decided to install it.

‘Sorry Microsoft; but this just isn’t good enough on your part. We your customers have come to expect more from you.

Am I starting to have vision problems in my middle-years, or has OSX suddenly begun to look attractive? What do you think? Have Microsoft gone soft on safe-computing here?