Due to a well-known bug in Windows, for years, it's been possible to have drives with autorun.inf files in them automatically run a specified program on the drive as soon as it was connected, even if the registry settings were set correctly.

This has become a big problem for USB drives, especially since exploits like the Conficker worm started taking advantage of the broken registry settings.

Microsoft has now come out and provided a fix to the problem, so you can actually disable autorun. However, after listening to Steve Gibson's description of what you have to do to make it stick, the feature may as well still be considered broken for many versions of Windows. It is such a convoluted process to actually get the settings right, that it's very likely that people may mistakenly think they've disabled autorun when all is said and done.

They actually added a new registry setting that essentially says, "Yes, I really want to disable autorun" because they felt that making the settings work the way they originally had intended might cause many environments that depend on it running incorrectly to fail if they fixed it. Makes perfect sense, doesn't it?

You can learn all the gory details from the Security Now podcast (Episode 187), or just view the transcripts. Both are available at:

http://www.grc.com/securitynow.htm

Just look for the box with Episode 187 to find the audio program or the text transcripts. Thanks to Steve for painstakingly researching and testing the configurations. It really is an important thing to get right in order to cut down some of the risk of getting infected by Conficker.

the latest updaate from Microsoft is here.

http://support.microsoft.com/kb/967715

The main problem I have with it is that it's a lot of techie stuff for the average user to follow = unlikely to happen.