I have always wondered who could have possibly thought Autorun was a good idea. Let's give complete control of the system to anyone who gives you a CD! Your neighbor's photo album can give you a virus now! Sony can install a ridiculous content protection system without your knowledge or consent!
You just popped the CD in and the program on it came up. A few years before that, the average computer was still booting to a command prompt. For non-hackers, auto-run was amazing.
And since then, it has worked as intended billions and billions of times. Some microscopic fraction of those have resulted in a virus, rootkit, or other issue.
Just because something bad can happen in a small minority of case doesn't mean a feature is a stupid idea.
Autorun was introduced in Windows 95. The security world, especially on consumer OSes, and especially again on Windows 9x, was very, very different back then. CIH wouldn't come around for another three years. CD-R burners were pretty expensive and pretty rare, cheap USB drives were a twinkle in someone's eye that wouldn't materialize for another five years at least. We don't know that the problem wasn't noticed; maybe it just wasn't considered to be crucial. Consider the magic-like benefits it would have been weighed against: all you have to do is put the CD in!
Edit: the USB specification and first USB consumer products weren't released until 1996. Further food for thought.
Well, I don't really understand how that contradicts what I'm saying. I still think a decent tester should have been able to point out the problem back then and mark it as "critical". For me it's so uncontroversial it could even be an interview question. Viruses and trojans already existed back in 1995, and I don't think anyone would claim then that CD-R burners would remain expensive for long.
Security versus Flexibility - from 1995-1999 Microsoft, Flexibility frequently won out. It's better to have a monopoly on the world's operating systems, but be insecure, than to have the worlds most secure operating system, but have some other company be the market leader.
Assuming that the average computer user in those days (and even today) was capable of navigating to the cd drive letter, entering it, and double-clicking "setup.exe", "install.exe", or "app.exe" - via some type of an understanding of what to do after inserting a cd.. would be an even bigger flaw.
Autorun did exactly what it was designed to do and solved the problem both for Microsoft and the software shops with users not being able to install products -- the worst of the worst of issues.
This. Lambasting autorun as an obvious design flaw is really betraying a lack of perspective on what's actually important in a computer's design.
Yes, security is important, but making it easy for normal people to use the computer was much, much more important, and hiding people from the crap at the core of windows (like needing to hunt down blah.exe) was a very important part of that.
You have to keep in mind the technology of the time. The only user modifiable media was a floppy disk (which didn't have autorun enabled, I believe). PCs were becoming "multimedia" computers and the CD-ROM was the center of that. CD-ROMs could then only be manufactured by rather large companies and typically cost a significant amount of money to acquire. The idea that people would acquire autorunnable media casually was foreign. The idea that the ability to create autorunnable media would be common as dirt was also foreign. Moreover, the internet was still new and not widely popular so the problem of malicious autorunnable media was thought to be fairly limited in scope.
The modern era of dirt-cheap user modifiable CDs and USB drives along with ubiquitous internet connectivity opens up the seemingly small (though still serious) security problems of autorun into gaping holes.
Moreover, at the time many developers didn't take security issues very seriously.
I concur - the "multimedia" vision was that the CD-ROM would be used like a VCR to play tightly-controlled, packaged media with interactivity. Things like "interactive movies," animated books, and encyclopedias were often cited as the examples. And Windows would support this experience by making it as simple as turning on the computer and putting in the disc.
In practice, of course, it never really worked that way. Games moved away from the interactive movie concept and instead would run an installer for 600+ MB of compressed content. The encyclopedias-on-CD and animated books had a window of about six or seven years before the Internet took over. And when CD burning took off in a big way in the late 90's, the image of the CD-ROM as a read-only medium was destroyed forever.
The only place where Autorun might have concievably worked well is on the proprietary content formats(DVDs and audio CDs). Yet even there, most of the times I've put a CD or DVD in the computer, it's been to rip it, not to play it.
Indeed. In practice hard drive space grew by leaps and bounds (as it always does) and within a few years it was practical to store several CDs worth of data. The historical norm had been to often run applications off of the original media (floppies or CDs), but this changed to fully installing to the hd once and then never using the original media again. This, of course, very much changed the nature of the benefit of autorun.
Moreover, the explosion of the internet in the mid to late '90s began to transform the nature of computer usage. In large part the internet supplanted the CD-ROM as the primary point of entry for content into PCs.
It's interesting how common it is for even software engineers to fail to anticipate the continuation of very well established technology trends.
Autorun was almost enabled for floppy drives, but there was no way to detect a new insertion into a drive that worked for all common drives and wouldn't in some cases make the drive always try to spin up (increasing wear and tear).
Support was kept though: you just had to have a driver other than the default floppy driver, which announced to the rest of the OS that it was capable of detecting and announcing disk insertion. I don't think I've ever seen this facility used though.
The CD-R spec was published in 1988. By 1995 the drives were still expensive but patently heading on the road to being cheap commodity parts, by 2000 they were clearly commodity parts fitted to many, many PCs.
Microsoft had ample evidence of the possible when the feature was launched and plenty more time to correct the mistaken assumption within the next few versions. That they didn't see this coming is a terrible indictment.
CD-R equipment was still hugely uncommon and expensive in 1994 (when many of the decisions for Windows 95 were being made). Most people didn't have the hard-drive capacity to store an entire CD-ROM, nor a computer fast enough to burn a disc without skipping. Early CD burners were SCSI equipment requiring an add-in adapter card to be used. Together this put the CD burner in the realm of the niche product used only by enthusiasts for a fairly long time (in computer years).
The decision to use autorun may have been a bad decision but in historical context it was far from obvious that it was bad. The biggest failure in making the decision was in ignoring its likely longevity. By the time CD burners, usb flash drives, and always-on internet connections were ubiquitous it was fully 2 Windows releases later. It's a common failing of imagination to think that it will be easy to remedy design decision errors in later releases easily (see the Y2K bug, for example).
Personally I loathe autoplay, even in its milder "prompt first" current incarnations. But the magnitude of the poorness of the decision to adopt autoplay pales in comparison to other poor decisions made at the time. The entire security model (or lack thereof) of Windows, which proved utterly unsuitable to the modern ultra-connected multi-user world. The common practice encouraged by computer manufacturers, OS manufacturers, and ISPs to put ordinary desktop computers directly on the internet rather than behind a NAT layer or proper hardware firewall. The use of null terminated strings in C/C++ along with unsafe standard libraries of string functions. And a myriad of design errors in HTTP and SMTP which have caused a mountain of security problems since. Against those autorun (which, unlike many of the above problems, can be turned off) hardly merits notice.
Well, yes, I agree in the grand scheme of short-sighted bad decisions from 15-20 years ago it's fairly low down the scale. But I'm still firmly of the opinion that the desktop CD burning revolution was decidedly foreseeable even then; I remember a UK Amiga mag editorial from the period ('94, I think) making that exact point having a disc sitting in front of them, about just how much this soom becoming a commodity product would shake up both the computer and music industries.
I suppose what this really boils down to is:
* Win32 predates Microsoft really thinking security was important by at least 10 years, and much of the industry by not much less
* IT as a whole is terrible at looking into the future, seeing what will be viable tomorrow and designing around that.
It'll be fun looking back in 2025 to see what obvious mistakes we're making now :-)
On the other hand, I remember reading a UK PC mag in 1995 (PC Format) that argued that home users weren't going to be able to create their own CDs any time soon, due to the expensive duplication process.
I'm guessing the writer was imagining the industrial CD pressing machines, and didn't realise that writers the size of a regular CD drive were already on the way.
(For reference, CD readers (4x) were about AU$400 at that time.)
I'm of two minds on the subject. On the one hand any professional working in this field who doesn't appreciate that change is a constant is just plain dumb. It doesn't take a rocket scientist to appreciate that the computers of next year are going to have faster cpus, more ram, more hard drive space, etc, and that this will continue, as it has, exponentially over time.
On the other hand, it's difficult to plan for the future. Even knowing that the hardware would be different it's hard to know how that will affect patterns of use and what variety of new uses will come about.
If the makers of windows 95 could truly have foreseen the future of the pc in just a few years (such as the prevalence of the internet and writable large format media) they would have not merely avoided the mistake of autorun they would have built a different product. But even so, making a product that would be viable in 5 years may not result in a product that's viable on the market immediately, it can be a tricky trade-off.
Windows 95 as it existed was a huge compromise on a variety of technological issues, largely to make it suitable for the consumer market of the time. The small ram footprint was very much due to significant security and fidelity compromises in running 16bit code, for example. Even after many of those reasons had gone away, the windows 9x code base was still difficult to fully replace, a classic example of the difficulty of any "full rewrite" project at scale.
As I said, the biggest mistake of that decision was in failing to appreciate the longevity of design decisions. Design decisions take on a huge amount of inertia, due to a variety of factors, even when they are recognized as being poor decisions they can be difficult to change.
Autorun was an annoyance at best and a security hole at worst. I'm glad they've finally decided to do away with it. I do wonder why they didn't decide to do this across all media, though.
FTA: As we've pointed out before, the changes to Autorun still don't go far enough. CDs and DVDs by default still automatically execute code when inserted. Adam Shostack, a program manager for Microsoft's Trustworthy Computing group, said here that Microsoft has yet to see in-the-wild attacks that exploit Autorun on “shiny media.”
I was thinking about editing the "finally" out of the headline per HN style but I figured it wasn't that much editorial spin to be glad this thing is moribund.
I still can't understand why they added the "feature" in first place. Sure, automatic execution of setups and the like is very convenient, but even a small "are you sure you want to run this" dialog would have closed the security hole most times.
> I still can't understand why they added the "feature" in first place.
I imagine, in the early 1990s, that the user experience seemed extremely natural. Put a tape into a VCR and it starts playing. Put a LaserDisc into a player and it starts playing. Put a cartridge into a game console and it starts playing. Put a CD into a stereo and it starts playing. Why shouldn't a CD you put in your computer start playing?
Well, when you insert a tape into a VCR you still have to hit PLAY before it does anything. Not that there's anything wrong setting your computer to automatically play a CD.
But it's not about audio, it's about software.
Starting with Windows 3.0, Microsoft's approach to Windows OS usability involved hiding the file system from the user. Autorun is merely an extension of that philosophy. It allows Microsoft to hide a CD-ROM's ugly MS-DOS file system from the user.
An alternate approach is to make the file system less ugly.
Most VCRs I used would automatically play tapes that had the anti-erase tab removed (such as commercially prerecorded movies), but would require pressing play if the anti-erase tab was present to avoid losing position on a tape with recording in progress (e.g. one used for time shifting multiple episodes).
Because you don't store personal documents and credentials in your VCR or stereo. Traps for future data collection are also not possible, as far as I know.
I didn't know Autorun was removed (sort of) in Windows 7. I guess that's one less thing some of us can brag about.
It's hard to understand how Autorun survived Microsoft's big security push in the mid-2000s. I would have guessed it would be the first thing to go.
But they can't remove Autorun without severely breaking backward compatibility; you can't suddenly force users to locate SETUP.EXE in a sea of weird setup files in order to install Office. That's why it's still enabled for CDs and DVDs. As a result, Microsoft and its users continue to pay a price for what turned out to be a really terrible design decision.
The push only involved auditing use of APIs. High-level decisions were, generally, not re-thought.
For a more concrete example, if you were hosting IE within a window of your process, you had to harden the heck out of anything that IE could host, how it accessed URLs and the hosting environment, etc. But, nobody was going to ask you WHY you were hosting IE in the first place.
There are two core reasons why autorun wasn't viewed as a huge security threat:
1) As one other person already pointed out, there was no real vector in which to steal info from the client computer. There was no default email client, web browser, or even TCP/IP stack. Computers were silos where data was moved via floppy.
2) There was a reasonably fair assumption that if you put in a CD you were going to run the application installed on the app. If it had opened up in file explorer and there were files "setup.exe" or "readme.exe" or "runme.exe" -- 99% of the time those files will get run anyways.
To put it another way... using the most secure web browser on the planet today is probably a bigger known security risk in 2011 than autorun was in 1995. With that said, the benefit of a web browser is a fair bit larger than autorun.
Furthermore, in my opinion, leaving autorun enabled for CD/DVDs was the right decision. Most people don't use CDs for transferring files anymore. Viruses wont be able to get much traction by spreading over CD/DVDs, because barely anyone inserts writable disks.
