"For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled."
This is still inaccurate. Or at least, it's not accurate enough. We know what Microsoft is trying to say but we think some folks might misinterpret. It would be better to state that AutoPlay functionality for removable disks is automatically LIMITED.
Take a look at our Windows 7 test machine, which was hardened, this is a button in the AutoPlay Control Panel:
"Reset all defaults."
So we opted to restore the defaults:
"Use AutoPlay for all media and devices" is now enabled. That's ALL media and devices.
This is the dialog that was presented when a USB flash drive containing multimedia files was inserted into the Windows 7 system:
The highlighted option is "Open folder to view files."
So what is disabled? AutoPlay? No. Windows 7 AutoPlay isn't disabled, rather, it doesn't include the OPTION to set a default ACTION for removable disks.
But in the case of the LNK vulnerability, one click, and you're at risk, by DEFAULT.
Windows 7 AutoPlay is a significant improvement compared to Windows XP AutoPlay. In fact, it is almost probably a perfect balance of security and functionality… for consumers.
However, businesses and organizations at risk from targeted attacks are a different story. They should fully disable AutoPlay.
For example, this is one of Conficker's methods of attack:
Conficker's autorun.inf file used a Windows system folder icon in its efforts to be the first option presented. One click, and you'll launch the autorun.inf. Clever trick, eh?
Here's another theoretical AutoPlay issue (not a vulnerability). USB storage devices can include a partition formated as a Virtual CD.
In this case, the partition is treated as a regular CD by AutoPlay.
When we wrote the Virtual CD post back in June, it seemed highly unlikely that we'd see it deliberately used in a targeted attack. We thought it was much more likely to affect someone due to a compromise in the manufacturing process; that the Virtual CD would be infected in the master copy at the factory.
But now, considering the Stuxnet case, which uses a zero-day flaw, signed drivers, and targets Siemens SIMATIC WinCC databases… maybe the idea of a Virtual CD attack isn't so far fetched after all. Clearly there's some very motivated espionage in play.
Bottom line: If you're an IT manager with Windows 7 systems in your network, disable AutoPlay.