Must Read: Mint 15: Today's best Linux desktop (Review)

Topic: Operating Systems

Why is Apple meddling with my Windows AutoRun?

Summary: Costin Raiu says Apple's iTunes has started to meddle with the Windows AutoRun feature, making Microsoft's operating system less secure.

Ryan Naraine

By for Zero Day |

Guest editorial by Costin Raiu

In every system designed by man, there is always a balance between features, usability and security. While designing pretty, easy to use and secure systems is possible, quite often this is not what the users get, or worse, this is not what the users want.

The most popular example of this applies to Apple. Focusing on eye-catching designs and easy to use products, Apple is listed in almost every marketing book as a success story.

Interestingly, maybe their second most popular software product, Mac OS X (after iTunes) represents a curious blend between eye-catching, easy to use, flexible, usable and decently secure, modern operating system. Please notice how I avoided saying “secure” and instead, wrote “decently secure”. Not wanting to start a holy war, I’d like to state that no operating system is bulletproof. Or, if an operating system even remotely tries to achieve that, nobody really wants to use it. Take VMS for instance; it was maybe one of the most secure operating systems ever design, yet, it was a pain to use. Ten years ago, in my University, the people doing schoolwork on VMS dreamed of doing it on Linux. Yet, a computer running VMS with 4MB of RAM and a 40MB hard drive could host 50 concurrent users, while a similar Linux computer started having issues with more than 10 users. VMS was not only secure, but it was resource efficient as well. It was that good. Yet, it went into oblivion, just like it will happen to any other secure but a-pain-to-use OS.

With Windows 7, Microsoft made an interesting move. The developer of the most attacked operating system in the world decided to turn off an age-old option. This was one of the options that made the operating system easier to use but much, much more insecure. I’m talking of course about Windows AutoRun.

You can imagine my surprise when I got the following message from iTunes, while plugging my iPod to transfer some newly purchased albums:

So, iTunes detected that my system was more secure but less usable, and decided that maybe it’s a good idea to change that back! My surprise was even bigger after seeing the following message from iTunes:

Therefore, even if AutoRun is off, iTunes will still recognize my CDs!

With that in mind, Apple’s decision with iTunes doesn’t make any sense. It took Microsoft more than 25 years to finally understand how important security is, and then it took them another 5 years to understand that AutoRun was inherently flawed and insecure, so it needs to be deactivated by default.

As I was saying, Apple is a success story when it comes to combining easy to use technology with eye catching design, while keeping it also decently secure. It is a real pity though when somebody finds slips like the one above. Will it also take them 5 or 10 or even 25 years or so to understand the dangers of AutoRun?

I certainly hope not.

* Costin Raiu is chief security expert in Kaspersky Lab's Global Research & Analysis Team.

Topics: Operating Systems, Apple, Hardware, Mobility, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

144 comments
Log in or register to join the discussion

  • Not suprised...

    Why would Apple try to keep their competitor secure? It would go aggainst their own adds.

    Oh and I'm not suprised that apple wants to meddle with autorun... I always disable that feature and it will stay disabled... I just hope Apple wont try to stealth enable it...

    PS: Great another holy war is brewing... cue the Cult of Balmer fighting aggainst the Cult of Jobs...
    Ceridan
    Reply Vote

    • __|__

      Don't forget the cult of Torvalds!
      AzuMao
      Reply Vote

      • I have NEVER seen a single message .....

        offering to install any Linux ANYTHING on my computers much less have a Linux centric app attempt to change the security settings.
        kd5auq
        Reply Vote

      • Torvald?

        I think of that as the Cult of Stallman not Torvald. I actually respect Torvald a bit.

        But since this is a Apple vs Microsoft and not a Apple vs Microsoft vs FLOSS... I chose to only mention the 2 Cults following those 2 compagnies.
        Ceridan
        Reply Vote

        • Understood ...

          and I agreed.
          kd5auq
          Reply Vote

        • I guess you're right.

          There's just no comparison. Apple and Microsoft
          are on a much failier level of fail.
          AzuMao
          Reply Vote

    • A hint: It's not autorun you have to worry about

      Macs have /Library/StartupItems, ~/Library/StartupItems and
      /System//Library/StartupItems but have very little problems with security
      because of it.

      Maybe Windows is just and simply that bad?
      Mikael_z
      Reply Vote

    • They aren't meddling with anything

      It's not meddling if they ask you.
      davidmeridian
      Reply Vote

      • It is meddling when

        they ask you and you hit no then they bypass everything anyhow.
        Erroneous
        Reply Vote

  • RE: Why is Apple meddling with my Windows AutoRun?

    What else can you expect from Apple? iTunes was the major reason I bought Zune HD and am much more satisfied with the device and Zune software is just amazing!!
    shellcodes_coder
    Reply Vote

    • Same here.....

      The Zune HD is great and the Zune software is much better than the archaic itunes interface and the subscription service is very nice and also is integrated with the Xbox which is even better.
      OhTheHumanity
      Reply Vote

      • Xbox 360 integration

        [i]is integrated with the Xbox[/i]

        Well, the Zune service hasn't come out for the Xbox 360 yet, but it will soon.


        Aside from that, I too grew so disgusted with Apple, its pompous attitude, its shady advertising, its annoying die-hard fans, and most importantly its piece of crap iTunes that I had to switch to the far superior Zune.
        tikigawd
        Reply Vote

  • Apple != secure. duh :\ nt

    nt
    T1Oracle
    Reply Vote

  • Not the same as AutoRun

    Recognizing that a CD is an audio CD, and actively running an AutoRun script off the drive are two different things entirely.

    So how is it you are complaining that Apple is enabling AutoRun when, in fact, it is not (Which is very easily tested by simply inserting a CD with an autorun script)?
    Stuka
    Reply Vote

    • Wouldn't that...

      ...still leave an opening for malware? If iTunes "recognizes" an audio CD which contains some kind of malware, what will happen?

      Seems to me to be exactly the same situation as AutoRun, only not using AutoRun.

      Carl Rapson
      rapson
      Reply Vote

      • It depends...

        If the Auto-run script is ran because of iTunes then yes it might be a vector of infection. How ever if the script is not ran(just checking if it's a audio cd means maybie just checking the presence of audio tracks) then it will not.
        Ceridan
        Reply Vote

      • That is possible

        If there was a piece of MalWare that was able to run by the machine simply accessing the drive. However, at that point, how is that any different than the disc being manually browsed by a person?

        The issue with autorun scripts is that anything could be run soon as the disc was inserted and there was nothing you could do about it (unless you manually disabled it). In this case, no applications are being run from the disc. The disc is just being checked for AIFF, MP3, AAC, etc files.

        I am not saying its 100% safe, only that there is a distinct difference between the two.
        Stuka
        Reply Vote

      • Nope.

        I can't see iTunes actually executing anything on the CD, just reading it's ID to run it through a CDDB (If configured)

        no code on the CD would be executed, not even which CDDB was used, since that's up to the iTunes configuration.

        This is no different than opening your "My Computer" icon, and having Windows Exploder tell you that there's a CD in the drive (Audio or otherwise.)

        It's the security vs functionality trade-off. Remeber the pain in the rear factor? Anyone want to go back to:

        # mount -r /dev/cd0 -f cdfs /mnt

        I didn't think so. Windows, OS X, and Linux all recognise and mount CDs/DVDs/BD-ROMs as soon as the drive door closes, so that it can at least tell you what's in there, that means that it's going to read the title track, if for no other reason than to determine the filesystem type. If there's an exploit in the code that reads that track, then you MIGHT be in trouble with a specially crafted CD/DVD/Blu-Ray disk, but I'm REASONABLY sure that this code is tight enough.
        SupraGuy
        Reply Vote

    • It doesn't enable ANYTHING, actually. It asks the user if he/she wants to.

      Bit of a difference. The article implies it
      changes some setting in Windows, when really all
      it does is ask what the user wants to do.



      That said.. fuck iTunes, and fuck Windows.
      AzuMao
      Reply Vote

      • ummm, yes it does.

        [i]It doesn't enable ANYTHING, actually. It asks the user if he/she wants to.[/i]

        Actually, it does enable AutoRun if you're silly enough to trust Apple and click "Yes". Like an average user is going to know whether turning on AutoRun is a good or bad thing? They just know they want their iTunes to run as intended.
        Badgered
        Reply Vote
CNET Join | Log In | Privacy | Cookies Close