I don't see anything wrong with auto running a CD. I physically put it in the computer. And seriously, what security checks do you think a normal user is going to do between the pop-up appearing and clicking "run"?
Edit: three responses, zero examples of checks an actual user would do. Two references to the Sony rootkit, which was resolved after intense press by Sony removing the rootkit unconditionally, not by giving the users a choice, because everybody knows users would have clicked yes.
A mass storage device is supposed to contain data, and possibly software. When you connect a MSD, in general, you probably want to access the data inside it - its filesystem.
If an "autorun" system is implemented, and on by default, MSDs become a hefty vector for circulating malware - it takes little to foresee it. This happened - and out of a really bad idea: "connecting a device" is in general not to be interpreted as "wanting to run software".
About instead the «normal/actual user» (though I do not understand how it is relevant), well, if said user connected a MSD, a data container, and were prompted that some code "wanted" to be executed, the user is supposed to react in terms of "WTF?!". Exceptional classes of cases can be managed - but really, the advantage of avoiding opening the device filesystem and starting an executable is less than negligible. When such behaviour is desired, a system should be specialized for that whole framework (and should revolve around the design concept of "trusting software").
I would say bewilderment that a music/video/data CD wants to execute an auto start exe on it. Other than that you may want to check if the CD actually contains the program you expect before running it.
Then you have Sony which abused auto run to install a rootkit on PCs as part of its copy protection.
You want examples of auto-run abuse… I saw many usb keychains with autorun.ini and a lot of hidden files combined with links to other hidden files to simulate the “regular” files after spreading the malware if you click them.
It explores many vulnerabilities: auto-run, hidden extensions, no protection to running not signed binaries, links that are not simple filesystem links…
Windows evolved in a time when solutions for usability problems did not consider security. Now, in the name of compatibility, these vulnerabilities had to be maintained and users were trained to believe that was the right way to do things.
This gave windows users a reputation of being negligent, but most are not. They were trained like dogs to behave like that.
This is a huge security risk. Microsoft actually f
ixed it. The system shouldn't do anything that cou
ld compromise it without explicit user interventio
n.
Want the computer to do something, tell it to it.
Inserting a physical media doesn't means you want
adware automatically installed.
Edit: three responses, zero examples of checks an actual user would do. Two references to the Sony rootkit, which was resolved after intense press by Sony removing the rootkit unconditionally, not by giving the users a choice, because everybody knows users would have clicked yes.