Autorun, autoworm

It’s a bit old, but just today I read an entry in Ed Truitt’s blog about how the Pentagon got infected with (what I would guess is) a Windows worm.

To quote the quoted message:

Someone infected thumb drives with the WORM then dropped them around the Pentagon parking lot. The employees, picked them up, took them into their offices and plugged them into their office computers to determine the owner of the drive. (emphasis mine)

To me, it seems the real risk is not plugging unknown devices into a computer. Rather, this whole incident is a very damning indictment of Windows’ infamous autorun feature and the risks thereof. The act of merely accessing a device should never automatically run any executable that may be on it, at least not without prompting the user.

This is a security hole big enough to drive a tank through, and inexcusable negligence on the part of Microsoft. This is not something a user should have to explicitly disable (whether permanently or with an obscure trick like holding down Shift while plugging/inserting media).

OpenBSD uses the slogan “secure by default.” Here’s hoping that Windows 7 will be the first version that “insecure by default” doesn’t apply to.