You can plug lots of handy items into your computer’s USB port, from mobile storage devices to printers. If you’re not careful, you can also plug in a piece of malware, as well. That threat is growing rapidly: One USB-borne piece of malware known as INF/Autorun has been at the top of the threat charts two months in a row.

USB-equipped devices are a convenience particularly to mobile workers, but they are also a growing threat because of the way computers inherently trust them, according to Randy Abrams, director of technical education at ESET, a maker of security software. “When you plug a USB device into a computer, in order to make the consumer experience better and easier, Microsoft [operating systems] will automatically run programs,” he told us. “It should start the install automatically so the customer doesn’t have to know anything to get the program installed.”

That’s a danger, he said, because the autorun feature is “completely blind” to the programs it runs. “So I can put bad programs on CDs and USB devices, and as soon as you plug them in, it’s going to automatically install that bad software.”

Feature or Vulnerability?

The autorun feature may be a convenience for customers, but for security experts it’s anathema, Abrams said. “Microsoft’s own security experts say that autorun is a bad thing,” and he should know — he worked for the Redmond giant for a dozen years, nearly half of them spent making sure that the company didn’t release any infected software.

“I’m not a Microsoft hater, but this is just a completely insane feature,” he said. “It’s like the customers are in a hockey game, and what Microsoft has done is remove the customer’s offensive line and defensive line. The customer is like the goalie, so Microsoft has taken off the goalie’s…