Saturday, May 09, 2009

Security fix in Windows 7 may negatively impact computer accessibility for all Windows users

I’ve known about the following matter for almost two weeks, but have taken a wait and see attitude about writing it up here, to see if anything came out about it on the assistive technology front. I know the subject has trickled out some in A T circles, but I have still yet not heard anything mentioned anywhere about the impact of this change on accessibility products such as screen readers that run off portable, USB thumb drives.

Also, one has to wonder how will the use of Serotek’s wonderful, U3 Smart drive accessibility tool, System Access Mobile, be impacted?

The information I’m worried about is from the Technet blog Security Research & Defense, which touts itself as, “Information from Microsoft about vulnerabilities, mitigations and workarounds, active attacks, security research, tools and guidance,” so I give it some credibility. The subject is a new security fix in the latest release candidate of Windows 7, in a post titled
AutoRun changes in Windows 7

In a nutshell, the post cites that the Conficker virus, and other types of malware, have been spreading via the autorun function in Microsoft Windows. To remedy this from occurring, they have instituted a security fix in Windows 7 that will no longer allow the autorun function to come up when USB devices are plugged in.

That wouldn’t bother me, except that this includes thumb drives that give portability to screen readers and allow users to use virtually any computer. The post does share the difference in autorun and autoplay, which makes sense, but it is pretty clear that this will keep the latest version of Windows from running portable applications from a jump drive, but still allow them to run when launched from a CD or DVD.

And, if you’re sitting there grinning, saying that you just won’t upgrade to Windows 7, the post also states that this fix will be made available to Windows Vista and XP as well. I don’t see how we’re going to avoid this change. I don’t know when this will happen, but figure it will come as one of those Windows automatic updates.

I’m not a total geek, so some of the language in the article is not always clear to me. It does raise the issue of U3 smart drives, which I use in training students on using System Access, but I’m not totally clear how that will be affected. I’m happy to append this post with more information if anybody would care to enlighten me.

I know that there are other options, such as System Access’s ability to burn a CD to run the program, but I have liked the portability of just popping in a thumb drive.

I’ve been using thumb drives for access for a couple of years for my own use when away from home. When training, I’ve actually begun to carry around three drives in my pocket. On one, I have System Access; on another, I have JAWS, which I use with a couple of students; and, on my most recent addition, I’ve got NVDA, the open source, screen reading program, which I demo as a free alternative.

I hope I’m not coming across as some Chicken Little on this subject. Its just that I know there are many applications which run on thumb drives, including many assistive technology programs and I’m just trying to either get some answers or discussion going on a matter that I’m afraid is going to negatively impact computer accessibility for many.

4 comments:

Casey Mathews said...

Hello. I do have Windows 7 RC. The security fix does appear to be in place. I'm a heavy users of SA, and I have not gotten SA to work off of my thumbdrive. This is true even when I manually run the programs in question, u3launcher.exe, and SA.exe. I'll be waiting to see how this is resolved...

Peter Bossley said...

I read about this a few weeks ago as well. This post from the Windows 7 engineering blog seems to indicate that u3 will still function as designed. In the case of JAWS and others that do not use this technology, I would suggest that we look at encouraging them to embrace the platform. Since u3 emulates a CD-drive we should still be able to use system access. As of Release Candidate build 7100 my SA key is working.

http://blogs.msdn.com/e7/archive/2009/04/27/improvements-to-autoplay.aspx

Anonymous said...

I like the fact that U3 helps the programs launch from the smart drive. I can see the possibility of malicious software being used on the smart drive. How ever, I think that Microsoft needs to get the aunty virus companies involved with this and or provide some sort of aunty virus with windows to prevent worms or other types of malicious software from auto running and or auto playing. There are other viable fixes other then turning something off to fix yet another gaping hole in windows. I am sure the seretek teem is well aware of this new patch however are they able to work a fix around? In addition, there has been no prove that the u3 smart drives or other USb drive had carried the configure worm. It has been just speculation on Microsoft’s part. The fact remains that the internet has played a huge role in transmission of this particular virus worm and other militias software for years. I have an idea let’s turn off the internet and that way we will fix the problem. It works for Microsoft why can’t it work for every one else. Or lets all quit sending email that will certainly make the post office very happy. I think that this patch is a poor way to fix a potential problem and there are other ways such as verification of what is about to run and if it looks suspicious then worn the user of that just like you do with the cool user account control otherwise known as the u a c in vista. Come on Microsoft get a better solution to a feacher you have had for years in windows, don’t just turn something off to fix a problem come up with a solution that will let people have auto play and auto run. Get your think take on this one and I am sure that Microsoft can come up with a solution that let users still utilize auto run and play.

Karmakaze said...

Disabling autorun on USB drives is something that should have happened a very long time ago.

There is NO reason to execute program code automatically. In the special case you are talking about (screen readers) perhaps windows should have a hotkey combo that can start a screen reader on a USB stick - but auto starting is insane.

As for the person saying there is no proof that viruses spread via USB sticks - you obviously have no idea what you are talking about and should keep your ignorant opinions to yourself. I own an internet cafe, and I can PROVE malware uses the USB autorun feature to spread (not least because I have to clean USB sticks on a regular basis for our customers).

Autorun is insane. For those that don't know, autorun is a feature that allows windows to run any program code on a CD/DVD/USB Stick without any user intervention.

Autoplay is a similar but FAR safer feature. In that case windows LOOKS at the CD/DVD/USB stick and sees what is on there (programs, mp3 etc) then ASKS what you want to do (launch player etc) - no executable code on the disk is run until you ASK it to be run.

Sure this may make things slightly more inconvenient for screen readers etc - but preventing virus spread affects far more people, including the visually impaired.