In April, Microsoft altered AutoRun and AutoPlay, a pair of technologies originally designed for CD-ROM content, to keep malware from silently installing on a victim's PC. The Conficker worm, which exploded onto the PC scene in January, snatching control of millions of machines, used several methods to jump from PC to PC, including USB flash drives.
Conficker copied a malicious "autorun.inf" file to any USB storage device that was connected to an already-infected machines, then spread to any other PC if the user connected the device to that second computer and picked the "Open folder to view files" option under "Install or run program" in the AutoPlay dialog.
Microsoft responded by changing Windows 7 so that the AutoPlay dialog no longer let users run programs, except when the device was a nonremovable optical drive, like a CD or DVD drive. After the change, a flash drive connected to a Windows 7 system only let users open a folder to browser a list of files.
Four months ago, Microsoft promised to make similar changes in other operating systems -- Windows XP, Vista, Server 2003 and Server 2008 -- but declined to set a timeline.
On Friday, Microsoft used its Security Research & Defense blog to announce the availability of the updates for XP, Vista and the two Server editions.
Microsoft issued the updates almost three weeks ago, on Aug. 25, but did not push them to users automatically via Windows Update, or the corporate patch service Windows Server Update Services (WSUS). Instead, users must steer to Microsoft's download site, then download and install the appropriate update manually. Links to the download are included in a document posted on the company's support site.
The Windows XP update weighs in at 3MB, while the one for Vista is about 7MB.
The AutoRun and AutoPlay changes debuted in the Windows 7 Release Candidate (RC), which was available for public downloading from May 4 to Aug. 20. Windows 7 is set to go on sale Oct. 22.