On Windows, autorun.inf. This technique has been around since at least the 90s when CD-ROM drives were introduced to PCs... it is how a newly inserted CD (and later usb disk) can automatically execute software on insertion:
Autorun has been disabled by default for a long time (with good reason). And it has never worked with USB drives, only ones which emulated a CD drive such as U3 USB drives.
>Before Windows XP SP2, AutoPlay was disabled by default on removable drives, such as the floppy disk drive (but not the CD drive), and on network drives. Starting with Windows XP SP2, AutoPlay is enabled for removable drives. This includes ZIP drives and some USB mass storage devices.
I've always been surprised that autorun wasn't re-enabled when app stores / code signing was introduced. If Microsoft or Apple is willing to sign an installer saying that it's something safe to install, isn't that proof enough to let it run when you insert the USB key it's on?
I know this isn't really very relevant for the specific combination of installers and physical media any more, since it's rare for anyone to be trying to install something off a CD/DVD/USB these days (other than a new OS, of course.)
But I could see the use case for physical media doing something other than running an installer (e.g. DRMed disks launching the equivalent of a FUSE server to mount the "rest" of the disk); or for non-physical media (e.g. macOS DMG disk images) being able to autorun their embedded installer. Either way, the code signing that the platforms are already doing would be enough to make these safe, no?
Windows code signing does not include a step where Microsoft inspects the code. The developer gets a certificate from a commercial CA and signs the code. If the certificate is an EV certificate, that's basically it. If it's a regular certificate, Windows does a callback to Microsoft that seems to just be a popularity check --- if the certificate has been used a lot, then the prompts go away.
At best, Windows code signing lets you know who signed it and that that person was able to pay a CA some money, not that it's safe to run.
Regular developer code-signing, yes. But I'm talking about the code-signing that's done by Microsoft (rather than by your own Microsoft-signed cert) on the Microsoft Store backend; or the code-signing that's manually done by Microsoft when a third party submits a driver package to them for inclusion as a Windows update.