CDs that execute code without asking

TheMSsForum.com: The Microsoft Software Forum

Hi,

The other day I took my 35mm film to a photography shop and asked for
a CD of my scanned photos along with negatives and prints.

When I put the CD in my PC, Windows XP immediately executed a FujiFilm
photo-viewing program on the CD without asking me.

I am no expert on security, but doesn't this break all the rules?
When you insert, say, an audio CD, Windows asks you what you want to
do with it. One of the choices is "Do Nothing". Microsoft have gone
to some lengths to educate people not to execute e-mail attachments.
So why is Windows running arbitrary code on a 3rd party CD without my
consent?

Unlike e-mail attachments, I'm reasonably confident it won't have a
virus. But still, running code can do anything. Did software get
installed? Even if the purpose is innocent (say, to make start-up
time faster next time), did it add/change registry settings?
Overwrite DLLs? This risks breaking something else on the PC. What
about spyware? "Bundled" commercial software like this is a high-risk
category for spyware, I'd think.

Anyway, the point is not whether this particular software is safe -
it's that I don't think Windows should have run it without asking me.
I want Windows to tell me the CD is trying to run software, and ask
if I agree. Then I can decide whether I trust the vendor. After all,
I asked for data, not software.

Is there any way to recongifure Windows to prevent it doing this? Is
this behaviour still the default in SP2?

Thanks,
James
Top

Re: CDs that execute code without asking by Miha

Miha
Tue Aug 24 16:41:39 CDT 2004

Hi James,

Here is how you can disable this feature...
http://www.winguides.com/registry/display.php/156/

I agree this can be exploited but then again, you shouldn't pick up CDs on
the street and then check what was stored on them :-)...

Mike

"James G" <jamesg255@hotmail.com> wrote in message
news:4d249926.0408241314.33df35bf@posting.google.com...
> Hi,
>
> The other day I took my 35mm film to a photography shop and asked for
> a CD of my scanned photos along with negatives and prints.
>
> When I put the CD in my PC, Windows XP immediately executed a FujiFilm
> photo-viewing program on the CD without asking me.
>
> I am no expert on security, but doesn't this break all the rules?
> When you insert, say, an audio CD, Windows asks you what you want to
> do with it. One of the choices is "Do Nothing". Microsoft have gone
> to some lengths to educate people not to execute e-mail attachments.
> So why is Windows running arbitrary code on a 3rd party CD without my
> consent?
>
> Unlike e-mail attachments, I'm reasonably confident it won't have a
> virus. But still, running code can do anything. Did software get
> installed? Even if the purpose is innocent (say, to make start-up
> time faster next time), did it add/change registry settings?
> Overwrite DLLs? This risks breaking something else on the PC. What
> about spyware? "Bundled" commercial software like this is a high-risk
> category for spyware, I'd think.
>
> Anyway, the point is not whether this particular software is safe -
> it's that I don't think Windows should have run it without asking me.
> I want Windows to tell me the CD is trying to run software, and ask
> if I agree. Then I can decide whether I trust the vendor. After all,
> I asked for data, not software.
>
> Is there any way to recongifure Windows to prevent it doing this? Is
> this behaviour still the default in SP2?
>
> Thanks,
> James


Top

Re: CDs that execute code without asking by Tejas

Tejas
Wed Aug 25 02:00:38 CDT 2004

Agree with Mike, try to use the CD's that comes from the trusted sources and
allways have your adware, antivirus software monitoring your system.

Tejas Patel
"James G" <jamesg255@hotmail.com> wrote in message
news:4d249926.0408241314.33df35bf@posting.google.com...
> Hi,
>
> The other day I took my 35mm film to a photography shop and asked for
> a CD of my scanned photos along with negatives and prints.
>
> When I put the CD in my PC, Windows XP immediately executed a FujiFilm
> photo-viewing program on the CD without asking me.
>
> I am no expert on security, but doesn't this break all the rules?
> When you insert, say, an audio CD, Windows asks you what you want to
> do with it. One of the choices is "Do Nothing". Microsoft have gone
> to some lengths to educate people not to execute e-mail attachments.
> So why is Windows running arbitrary code on a 3rd party CD without my
> consent?
>
> Unlike e-mail attachments, I'm reasonably confident it won't have a
> virus. But still, running code can do anything. Did software get
> installed? Even if the purpose is innocent (say, to make start-up
> time faster next time), did it add/change registry settings?
> Overwrite DLLs? This risks breaking something else on the PC. What
> about spyware? "Bundled" commercial software like this is a high-risk
> category for spyware, I'd think.
>
> Anyway, the point is not whether this particular software is safe -
> it's that I don't think Windows should have run it without asking me.
> I want Windows to tell me the CD is trying to run software, and ask
> if I agree. Then I can decide whether I trust the vendor. After all,
> I asked for data, not software.
>
> Is there any way to recongifure Windows to prevent it doing this? Is
> this behaviour still the default in SP2?
>
> Thanks,
> James


Top

Re: CDs that execute code without asking by Karl

Karl
Wed Aug 25 05:10:00 CDT 2004

Microsoft would get complaints no matter which setting they chose as the
default. CD auto-play feature is a huge help to a lot of people who aren't
very computer literate.

Granted, it might be a better compromise if the default was a prompt warning
and asking the user... but then again, I feel that user prompts are not very
reliable security, because most users will click past them to become
infected.


"James G" <jamesg255@hotmail.com> wrote in message
news:4d249926.0408241314.33df35bf@posting.google.com...
> Hi,
>
> The other day I took my 35mm film to a photography shop and asked for
> a CD of my scanned photos along with negatives and prints.
>
> When I put the CD in my PC, Windows XP immediately executed a FujiFilm
> photo-viewing program on the CD without asking me.
>
> I am no expert on security, but doesn't this break all the rules?
> When you insert, say, an audio CD, Windows asks you what you want to
> do with it. One of the choices is "Do Nothing". Microsoft have gone
> to some lengths to educate people not to execute e-mail attachments.
> So why is Windows running arbitrary code on a 3rd party CD without my
> consent?
>
> Unlike e-mail attachments, I'm reasonably confident it won't have a
> virus. But still, running code can do anything. Did software get
> installed? Even if the purpose is innocent (say, to make start-up
> time faster next time), did it add/change registry settings?
> Overwrite DLLs? This risks breaking something else on the PC. What
> about spyware? "Bundled" commercial software like this is a high-risk
> category for spyware, I'd think.
>
> Anyway, the point is not whether this particular software is safe -
> it's that I don't think Windows should have run it without asking me.
> I want Windows to tell me the CD is trying to run software, and ask
> if I agree. Then I can decide whether I trust the vendor. After all,
> I asked for data, not software.
>
> Is there any way to recongifure Windows to prevent it doing this? Is
> this behaviour still the default in SP2?
>
> Thanks,
> James


Top

Re: CDs that execute code without asking by jamesg255

jamesg255
Thu Aug 26 14:05:05 CDT 2004

Mike wrote:
> Here is how you can disable this feature...
> http://www.winguides.com/registry/display.php/156/

Thanks! I'll give it a go.

James
Top

Re: CDs that execute code without asking by jamesg255

jamesg255
Thu Aug 26 14:15:02 CDT 2004

Tejas Patel wrote:
> Agree with Mike, try to use the CD's that comes from the trusted sources and
> allways have your adware, antivirus software monitoring your system.

Mike wrote:
> I agree this can be exploited but then again, you shouldn't pick up
> CDs on the street and then check what was stored on them :-)...

What? So I can't play audio CDs I find in the street?

Seriously, this seems a tad draconian. I thought modern PCs were
meant to be multimedia centres capable playing all sorts of discs and
other media as effectively as a hi-fi appliance. Windows comes
bundled with all sorts of apps like Media Player, a Photo viewer, and
software for watching DVDs, which serve exactly that purpose.

So how can we say users "shouldn't" pick up CDs on the street and
play them with the expectation that they contain *data* or some form
of multimedia content that can be opened or played using trusted
software already installed on the PC? Of course, multimedia can
contain embedded code but that's completely different if it runs in
some kind of sandbox.

If a CD actually advertises itself as software rather than data or
content, then - well, I've never come across an install CD that didn't
ask you if you want to install it before going ahead and installing.
Prompting is not that alien a concept!

In the same way that there's a clear distinction between merely
visiting a web page, and actually downloading and running native code
from it, surely there should be an equally clear distinction between
inserting and examining a CD you expect to contain data/content, and
choosing to run or install something from it. For Windows to enable a
feature by default that completely erodes that distinction seems
wrong. It means a malicious CD could masquerade as (say) an audio CD
and cause all sorts of damage just by being inserted. Practically
banning users from inserting CDs can't be the answer, you might as
well ask them to rip out their CD drives and disconnect from the
internet! ;-)

James
Top

Re: CDs that execute code without asking by jamesg255

jamesg255
Thu Aug 26 14:31:18 CDT 2004

Karl Levinson wrote:
> Microsoft would get complaints no matter which setting they chose as
> the default.

But times change, and the proportion who would applaud Microsoft for
this kind of thing is growing while those who would complain are
shrinking.

> CD auto-play feature is a huge help to a lot of people who aren't
> very computer literate.

If Windows prompted, I don't see that affecting usability. Browsers
do this all the time. It could have a "Don't ask me again" tick-box.

> Granted, it might be a better compromise if the default was a prompt
> warning and asking the user... but then again, I feel that user
> prompts are not very reliable security, because most users will
> click past them to become infected.

But a lot of people are more cautious now, given all the publicity
about viruses and spyware. Even if they're in the minority, they
should be given a reasonable opportunity to exercise their caution.

This means not having to hack the registry. The computer-illiterate
have a right to exercise their caution too :-)

A prompt would basically say "The CD is trying to run a program stored
on the CD. If the CD is malicious, it might not be safe. Do you wish
to continue? Only say Yes if you trust the vendor."

This boils down to two simple concepts, danger and trust. Neither of
these is technical and they can be understood quite easily.

I guess most audio CDs, video DVDs and CD/DVD-ROMs are not configured
to auto-run anyway so the prompt wouldn't appear most of the time.

James
Top

Re: CDs that execute code without asking by G

G
Thu Aug 26 15:36:06 CDT 2004

James G wrote:
> Tejas Patel wrote:
>
>>Agree with Mike, try to use the CD's that comes from the trusted sources and
>>allways have your adware, antivirus software monitoring your system.
>
>
> Mike wrote:
>
>>I agree this can be exploited but then again, you shouldn't pick up
>>CDs on the street and then check what was stored on them :-)...
>
>
> What? So I can't play audio CDs I find in the street?
>
> Seriously, this seems a tad draconian. I thought modern PCs were
> meant to be multimedia centres capable playing all sorts of discs and
> other media as effectively as a hi-fi appliance. Windows comes
> bundled with all sorts of apps like Media Player, a Photo viewer, and
> software for watching DVDs, which serve exactly that purpose.
>
> So how can we say users "shouldn't" pick up CDs on the street and
> play them with the expectation that they contain *data* or some form
> of multimedia content that can be opened or played using trusted
> software already installed on the PC? Of course, multimedia can
> contain embedded code but that's completely different if it runs in
> some kind of sandbox.
>
> If a CD actually advertises itself as software rather than data or
> content, then - well, I've never come across an install CD that didn't
> ask you if you want to install it before going ahead and installing.
> Prompting is not that alien a concept!
>
> In the same way that there's a clear distinction between merely
> visiting a web page, and actually downloading and running native code
> from it, surely there should be an equally clear distinction between
> inserting and examining a CD you expect to contain data/content, and
> choosing to run or install something from it. For Windows to enable a
> feature by default that completely erodes that distinction seems
> wrong. It means a malicious CD could masquerade as (say) an audio CD
> and cause all sorts of damage just by being inserted. Practically
> banning users from inserting CDs can't be the answer, you might as
> well ask them to rip out their CD drives and disconnect from the
> internet! ;-)
>
> James

Shipped cd's from even Microsoft have had viruses or worms on them.

g-w
Top