In the fist February 2011, Patch Tuesday released last night, Microsoft distributed a security fix that disables Autorun with USB drives and other forms of removable storage on Windows Vista, XP and 2000, and Server 2008 and 2003. Windows 7 by default has Autorun disabled for removable storage, so this is just bringing the older OSs into line.
Until now, those versions dutifully executed code embedded in autorun.inf files without first prompting the user. The default behavior provided a convenient way to propagate malware such as Conficker, which hijacked the feature to spread itself each time an infected drive was inserted.
Incidentally, because Microsoft says it hasn't seen an in-the-wild malware attack that uses CDs or DVDs, AutoPlay will still work with "shiny media."
Weighing the minimal amount of convenience from Autorun against its potential for bad things to happen, we still think it's a bad idea, even for CDs and DVDs. Those who agree can turn it off entirely by following the instructions KB967715.