Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Windows Gets Infected With Malware

timothy posted more than 2 years ago | from the sure-c'mon-in dept.

Security 373

Orome1 writes "Since Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits, CSIS has actively collected real time data from them for a period of three months. The purpose of their study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk. They monitored more than 50 different exploit kits on 44 unique servers / IP addresses. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates."

cancel ×

373 comments

Sorry! There are no comments related to the filter you selected.

70% on fully updated installs. (5, Interesting)

140Mandak262Jamuna (970587) | more than 2 years ago | (#37612612)

Salient point is that, fully updated and patched installs let 70% of the infections through.

Re:70% on fully updated installs. (-1)

Anonymous Coward | more than 2 years ago | (#37612720)

The is no patch for stupid users. When you have a user base that refuses to learn the basics of what they're dealing with it doesn't matter how strong your security is. You'll still shoot your eye out, kid.

Re:70% on fully updated installs. (5, Insightful)

Dunbal (464142) | more than 2 years ago | (#37612908)

Stupid users eh? Explain the following: Yesterday I visited the top site google provided for a search I did. I was not searching for anything particularly exotic or deviant, certainly not pornographic or illegal. Immediately on visiting the site with my Windows 7 machine, Microsoft Security Essentials pops up to alert me of a "severe" threat (Trojan:JS/BlacoleRef.A) it had located in my browser cache (Firefox 7.01). I did what the security program said, and it says the threat was removed. I have no idea if it was removed or not, my only choice with such an obfuscated, complicated OS is to assume that the tools I am given are not lying to me and are doing the job that they are.

However should I be infected in the above scenario, how exactly does this make me a "stupid user"? I've had a PC since the late 1970's. I can code in ASM, Cobol, Fortran, Basic, C, C++. I like to think I know how computers work. I don't click "Yes" to everything, and I don't run programs from dubious sources anywhere other than a virtual machine. Should I be going through my registry and boot files daily to not be a "stupid user"? Isn't that what an OS is supposed to do for me - take care of the basic functions of my machine while I run the programs I need? Are you just going to troll me by saying "use linux instead you noob"?

Re:70% on fully updated installs. (0)

AvitarX (172628) | more than 2 years ago | (#37612970)

It wwas in the browser cache, so you are fine (it didn't infect anywhere else, and UAC makes sure it doesn't have the privledge to hide from your virus software).

If you visted the same site with out of date software, there would be a chance of infectio, but most likely the security essentials + uac would prevent it.

Re:70% on fully updated installs. (1)

spottedkangaroo (451692) | more than 2 years ago | (#37613084)

Unless the scanner didn't know the virus yet. I think you'll find that they don't know about anything from the last month or so. If you check virus total with the various binaries you collect on a mail server, you'll find that literally *most* of them don't get caught in any consistent way by any majority of the virus scanners listed there. It's not just that virus scanners suck, it's that the don't work for anything but the oldest stuff. So I hope UAC can do the job and it isn't a userspace malware setup.

Re:70% on fully updated installs. (1)

houstonbofh (602064) | more than 2 years ago | (#37613020)

Are you just going to troll me by saying "use linux instead you noob"?

User Virtual Box to browse, you stupid Noob! :) It is actually almost to this point. Some of the exploits even work on Linux. Only as the running user, however, so a root exploit means you were a stupid Linux noob running as root. (So far anyway. Tomorrow may be different.)

Re:70% on fully updated installs. (2)

CadentOrange (2429626) | more than 2 years ago | (#37613036)

Your anecdote perfectly illustrates why we need to run AV scanners on our machines. It doesn't matter how careful we are, we are not immune to drive by attacks. At this point, the typical slashdot response is "Run AdBlock/NoScript". This doesn't always guarantee that you'll be safe because what happens if the "safe" site you regularly visit has been compromised and the script you're about to allow is no longer safe? AV packages add another layer of defense [wikipedia.org] , and this is a good thing.

Re:70% on fully updated installs. (1)

rsilvergun (571051) | more than 2 years ago | (#37613056)

"my Windows 7 machine ... how exactly does this make me a "stupid user"?", well, there's your answer

Sorry, I kid, I kid. But seriously, I feel your pain. My brother put a virus on my PC when he viewed a video about how to teach a kid to ride a bike. Go figure. What I've taken to doing is doing my web browsing in a Vitual Box running Ubuntu + Chrome. It's pretty bullet proof, and even if it gets through it's tough to get out of the V-Box (Yeah, I know it can be done, but who does it?).

Re:70% on fully updated installs. (1)

houstonbofh (602064) | more than 2 years ago | (#37612750)

Mainly because the technology is reactive. We have to see and attack before we can guard against it.

Re:70% on fully updated installs. (2)

hedwards (940851) | more than 2 years ago | (#37612944)

That's the theory behind Immunet, once one of the computers is infected by a new virus it's analyzed pretty much immediately and a signature is added before the virus has a chance to infect more machines. It doesn't stop new infections, but it does diminish the spread.

I'm not sure how well it ultimately works, but the basic theory behind it is sound.

Another thing that could happen would be for the ISP to throttle the connection back to dial up speed for infected computers downloading anything other than antivirus software. The main concern I'd have there would be false positives and the inherent reward of throttling users.

Re:70% on fully updated installs. (2)

AJH16 (940784) | more than 2 years ago | (#37613240)

An interesting thought, but something seems fishy there. How does immunet tell that a particular piece of malware is malware? If it can tell automatically, then why not simply prevent it in the first place and updates are not necessary as you now have the perfect AV. If you can't tell automatically, then it relies on an end user to recognize and prevent infection. At this point, it is really relying on the end user and is not really any better than conventional AV.

Re:70% on fully updated installs. (3, Insightful)

Moheeheeko (1682914) | more than 2 years ago | (#37612786)

The day that people stop clicking on "want bigger pen0r?" or "see x clebrity naked here" links is the day that 30% jumps to 90%. The fact is is that a fully updated maintaned system is virtually malware proof if the user uses common sense.

Re:70% on fully updated installs. (1)

networkBoy (774728) | more than 2 years ago | (#37612942)

But sadly, average users need better than this.
Everyone on /. is at least computer literate, likely has fundamentals of data and system level security, and understands the importance of backups (even if they don't do it, they are accepting a known risk).
The average user thinks that e-mails are private, that 'password' is a bad password but that 'pa$$word', 'mypassword', 'PaSsWoRd', and password123' are all good enough, and that their digital pictures are perfectly safe on their hard drive in their 5 year old PC that has never been opened and physically cleaned.

I also think Linux is bad for the average user, because while it is more secure than Windows by default, if you muck with it you can cause vastly more damage to the system if you are in the "just enough knowledge to be dangerous" camp. Ubuntu goes a long way towards this, but it needs an even friendlier interface (IMHO) for system setup and config. We won't get that till an OEM adopts it seriously for end user platforms.

I think the ideal solution is only now starting to be available (mostly to power users). Run everything in a VM jail. XPMode on Win7 is awesome for this. If only is was the default mode of operation, rather than limited to Pro and greater levels of the OS. And if only they made snapshotting and rollbacks easier (other guest OS's would be nice too).

-nB

Re:70% on fully updated installs. (4, Interesting)

houstonbofh (602064) | more than 2 years ago | (#37613106)

I also think Linux is bad for the average user, because while it is more secure than Windows by default, if you muck with it you can cause vastly more damage to the system if you are in the "just enough knowledge to be dangerous" camp. Ubuntu goes a long way towards this, but it needs an even friendlier interface (IMHO) for system setup and config. We won't get that till an OEM adopts it seriously for end user platforms.

I have set up a laptop for 2 different client's wives with Ubuntu. Both were non-computer experts, and kept getting every infection known to man. After setting them up (Over 2 years ago) I never say those laptops again. I still see the clients, but they say the laptops are running perfect. Lost a lot of business there, and from happy clients. :) Ooops...

Re:70% on fully updated installs. (2)

oakgrove (845019) | more than 2 years ago | (#37613504)

I used to do the bi-monthly schlep to my mother's house to clean off the latest Google-results-hijack/adware/trojans du jour. Finally one day I told her, "I got something for ya." Installed Ubuntu 10.04 LTS and haven't had a problem since. She's one very happy Linux user.

Re:70% on fully updated installs. (3, Insightful)

jijacob (943393) | more than 2 years ago | (#37613592)

The catch here is that *you* set the laptops up. Had you given the wives an Ubuntu CD and left them to their own methods, odds are they wouldn't be so happy.

Re:70% on fully updated installs. (1)

Krneki (1192201) | more than 2 years ago | (#37613158)

It helps, but what can you do if you favorite site serves infected 3rd party adds?

P.S: I do use noscript.

Re:70% on fully updated installs. (3, Interesting)

LordLimecat (1103839) | more than 2 years ago | (#37612814)

Even more salient is that only 13% of the successful infections relied on software that was Windows only (10% were IE exploits, 3% were Windows Help exploits).

All you folks encourgaging your friends and families to buy Macs for the specific reason of their security are in for a world of hurt in a few years when Mac hits ~30+% market share. Kits are already starting to appear.

Re:70% on fully updated installs. (2)

UnknowingFool (672806) | more than 2 years ago | (#37612990)

But aren't you assuming that the other 87% are fully cross-platform? For instance Java and Flash vulnerabilities exist in both Linux and OS X but don't result in the same issue as those platforms are different. For example, a Flash vulnerability may allow the execution of a bundled .exe file; however that does nothing for Linux/OS X users. For them they would have to get scripts and even then bypass any default settings that don't allow scripts to run automatically.

Re:70% on fully updated installs. (0)

Anonymous Coward | more than 2 years ago | (#37613636)

But aren't you assuming that the other 87% are fully cross-platform? For instance Java and Flash vulnerabilities exist in both Linux and OS X but don't result in the same issue as those platforms are different. For example, a Flash vulnerability may allow the execution of a bundled .exe file; however that does nothing for Linux/OS X users. For them they would have to get scripts and even then bypass any default settings that don't allow scripts to run automatically.

This study appears to only evaluate Windows platforms.

It would be nice to see them run it on OSX, and Linux using Java JRE, Adobe Reader/Acrobat and Adobe Flash on those platforms and see what damage was done.

Then one could make an informed choice as to OS.

Otherwise, TFA just tells you to update Windows and it's apps as often as possible.

Re:70% on fully updated installs. (1)

LordLimecat (1103839) | more than 2 years ago | (#37613728)

exe files arent materially different than Linux / Mac bin files-- if you can tell the OS to execute arbitrary code, the extension is hardly meaningful.

Regardless, thats not how those exploits work. Machine-code is somehow slipped through the plugin's security measures, and is executed (buffer overflow, etc). That code then downloads the actual exe and dll files that are set up as the permanent infection, and will often attempt privilege escalation at the same time (and if successful, will often overwrite the MBR with an infected copy). But it isnt like Oracle simply forgot to remove the "System.runWindowsOnlyExeFile" command, or the "system.IO.writeInfectedMasterBootRecord" command (really, who comes up with these names?)

If you doubt me, reviewing the attack methods of the past 4-5 years of Pwn2Own would be informative.

Re:70% on fully updated installs. (2)

beelsebob (529313) | more than 2 years ago | (#37613278)

Tbf, a large number leveraged flash and acrobat reader. Flash is not installed by default on Macs any more (though is likely to be installed as there's no alternative), acrobat reader is not installed, and is unlikely to be installed due to the existence of preview, and safari's native pdf rendering.

Re:70% on fully updated installs. (1)

LordLimecat (1103839) | more than 2 years ago | (#37613754)

Flash is also not installed by default on Windows, nor is Java (though your OEM vendor may slip it in on you). That doesnt matter; the first time the user visits youtube, they will get Flash, and that will likely be the version of Flash they have for the next umpteen months until their local friendly geek updates them. (does Mac system update cover java?)

Re:70% on fully updated installs. (5, Insightful)

Anonymous Coward | more than 2 years ago | (#37612920)

You say:

Salient point is that, fully updated and patched installs let 70% of the infections through.

TFA says:

The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages.

Re:70% on fully updated installs. (1)

minstrelmike (1602771) | more than 2 years ago | (#37612984)

You guys aren't supposed to read between the lines. Stats are supposed to obscure facts, not detail them so even a manager can figure it out.

Re:70% on fully updated installs. (0)

Anonymous Coward | more than 2 years ago | (#37613086)

I'm not sure where you got that figure from the article linked in the post. In fact that seems to be a direct contradiction to its conclusion where it says:

The conclusion of this study is that as much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages.

Re:70% on fully updated installs. (1)

ackthpt (218170) | more than 2 years ago | (#37613170)

To think with GUI Operating System versions it began with Microsoft's rather optimistic view, with regards to ActiveX, nobody on another networked computer would every think of invading your computer, manipulating it, installing software on it and controlling it.

Big fan of OTR and impressed when I heard a radio play from the 1950's which predicted unprotected computer hardware being infected... so the concept wasn't new.

I also spent my early years on a mainframe system, where we were always vigilant to keep aspiring computer science students from exploiting security holes in software and operating system (the fake login program, these days called a Spoof, was a standard entry point for most.) We had pretty hardened systems by the mid-80's, when the mainframes were starting to be replaced by PC-servers.

I still have this nagging feeling that prevailing attitudes, not just at Microsoft, but among a large number of developers is, "Nah, nobody'd ever do such a thing, so I won't bother trapping it."

Re:70% on fully updated installs. (0)

Anonymous Coward | more than 2 years ago | (#37613562)

I still have this nagging feeling that prevailing attitudes, not just at Microsoft, but among a large number of developers is, "Nah, nobody'd ever do such a thing, so I won't bother trapping it."

I have to take issue with you characterization of Microsoft's current attitude towards security. It's my opinion Microsoft takes security very seriously and has since the infamous e-mail from Mr. Gates.

Re:70% on fully updated installs. (0)

Anonymous Coward | more than 2 years ago | (#37613336)

Salient point is that, fully updated and patched installs let 70% of the infections through.

[citation needed]

FTFA (0)

Anonymous Coward | more than 2 years ago | (#37613506)

"The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates."

And mathematics means that 100%-31.3% ~ 70% (remember "as many as...").

Or is it just a script posting here?

Re:70% on fully updated installs. (1)

blackicye (760472) | more than 2 years ago | (#37613470)

Salient point is that, fully updated and patched installs let 70% of the infections through.

This proves that no amount of software development can overcome human stupidity.

I haven't used an antivirus program in over 15 years and have not had any infections in about as long. I do download a free trial of some random antivirus program every year or so and just do a full manual scan before I uninstall it though.

I like to tell people that the best antivirus that you can possibly install lies between your ears.

Re:70% on fully updated installs. (1)

Hatta (162192) | more than 2 years ago | (#37613662)

How many are let through with a fully updated NoScript?

Welll (1)

jawtheshark (198669) | more than 2 years ago | (#37612626)

Understandably... Given the zoo of updaters you get by installing just a handful applications, I too disable disable them, except for Windows update itself. (Well, I used to, I still have a XP copy somewhere on an old laptop, I migrated fully to Linux years ago). However, doing that and running as Limited User pretty much took care of not being infected. It also helped, not using the system browser.

As I understand, these days infection most often occurs over Adobe Flash, Adobe Reader, Internet Explorer, in that order.

Re:Welll (1)

jawtheshark (198669) | more than 2 years ago | (#37612654)

Next time, I'll read the article... Promised, because that's what it says, except I forgot Java... :-) Who installs that anyway? ;-)

Re:Welll (4, Insightful)

QuantumRiff (120817) | more than 2 years ago | (#37612674)

I can't tell you how much I wish Windows Update would update other applications.. I guess I've turned into a crusty, bearded old Linux geek.. but one command to update everything kind of spoils you. (and being able to install and uninstall more than one application at a time is nice too).

Re:Welll (5, Insightful)

houstonbofh (602064) | more than 2 years ago | (#37612820)

Plug-in repositories are one thing I WISH windows would steal from Linux!

Re:Welll (2)

Leebert (1694) | more than 2 years ago | (#37613058)

It will happen if and when Microsoft can manage to swipe the App Store concept. The end goal is in sight, although we might not like the side effects.

Re:Welll (1)

Nerdfest (867930) | more than 2 years ago | (#37613546)

They will likely do what Apple did and borrow the concept, but not allow other repositories to be added. The walled garden is now an accepted approach it seems.

Re:Welll (1)

somersault (912633) | more than 2 years ago | (#37613054)

According to my colleague, the option is there for Win7 to do that now. It's apparently the software vendors who need to integrate their apps into it. I doubt Adobe and Oracle will do that without being pushed though, there probably is something in the rules against pushing extra toolbars and such when updating.. they love doing that.

Re:Welll (4, Funny)

bill_mcgonigle (4333) | more than 2 years ago | (#37613126)

I think that's in Windows 8 and they're calling it an 'App Store'.

No word yet on how many reboots it'll take to install an app.

Re:Welll (1)

darkgrayknight (1679662) | more than 2 years ago | (#37613570)

Not any, most likely. Windows barely reboots for its own updates and most installs don't need the reboot process as they no longer modify Windows system files.

Re:Welll (2)

mikael (484) | more than 2 years ago | (#37612710)

I must admit I always had some suspicions of web browsers that visit dozens of websites before they even visit your own home page. Running 'tcpdump -vv' and 'netstat -a', while a browser is very enlightening, even more so when doing 'whois' on those websites I've never heard of.

Never could understand why 'firefox' was opening a shttp link to weather.noaa.gov, or who "stopbadware.org" was.

Re:Welll (1)

houstonbofh (602064) | more than 2 years ago | (#37612866)

weather.noaa.gov is the stupid toolbar something added. stopbadware.org is the firefox link scanning site trying to keep you safe from "bad websites" but only after they have infected lots of folks, and for a while after they are cleaned up... The other 52 websites on a given page are adds, and google analytics.

Re:Welll (1)

LordLimecat (1103839) | more than 2 years ago | (#37612832)

Which is why Chrome is such a boon-- auto-blocks Java if its too old, auto-updates Flash, auto-updates its PDF reader (which notably isnt Acrobat based).

Even if you disregard marketing blurbs about Chrome's security, the auto-update alone makes it a huge security plus.

How Window Gets... hu wha? (4, Insightful)

sgt scrub (869860) | more than 2 years ago | (#37612634)

A window can get infected? Lies I tell you!

Re:How Window Gets... hu wha? (1)

houstonbofh (602064) | more than 2 years ago | (#37612774)

Yep. When a window licker has a cold or the flu...

Re:How Window Gets... hu wha? (1)

adeft (1805910) | more than 2 years ago | (#37612830)

Yeah, that sentence made my head hurt just a bit.

how windows get infected with malware? (0)

Anonymous Coward | more than 2 years ago | (#37612648)

how windows get infected with malware? how windows get pregnant?
we must instain operating system

Re:how windows get infected with malware? (0)

Anonymous Coward | more than 2 years ago | (#37612734)

I accidentally the whole window!

Re:how windows get infected with malware? (1)

LordLimecat (1103839) | more than 2 years ago | (#37612860)

How Windows [machines] get infected.

I didnt have trouble parsing that; possibly if you turned the brainpower spent making snarky responses to reading comprehension you wouldnt have had the issue either.

Words counts! (1)

jabberw0k (62554) | more than 2 years ago | (#37613044)

Grammars be important, their how we speech proper. Kapeesh?

Re:how windows get infected with malware? (0)

Anonymous Coward | more than 2 years ago | (#37613090)

How Windows [gets] infected.

Re:how windows get infected with malware? (1)

LordLimecat (1103839) | more than 2 years ago | (#37613508)

There were multiple Windows machines being discussed. "Gets" is only appropriate for the singular case, so the usage of the plural "get" was correct.

Pedantic fail.

Re:how windows get infected with malware? (1)

somersault (912633) | more than 2 years ago | (#37613100)

What talk bout. We no talk that here.

Re:how windows get infected with malware? (1)

LordLimecat (1103839) | more than 2 years ago | (#37613664)

One might wonder how you ever manage to read headlines if you cant grasp the concept of implied words. Its not exactly uncommon for a headline to drop words, nouns and verbs alike.

Why, Msn.com has the headline "Dust storms, Bear attacks, more". Oh noes! Theres no verb in those sentences! WHAT are the dust storms doing? Or perhaps the dust is currently storming, and its the object of the attacks and storms that we are missing? However will we decode this headline? And what is the bear attacking?

Really folks, if you cant get this, slashdot is probably not the site for you.

Re:how windows get infected with malware? (0)

Anonymous Coward | more than 2 years ago | (#37613290)

I didn't have trouble parsing that joke [youtube.com] ; possibly if you turned the brainpower spent making snarky responses at reading comprehension towards understanding jokes, then maybe you wouldn't have had the issue either.
Also, learn to use apostrophes.

Accounting for market share? (0)

Robadob (1800074) | more than 2 years ago | (#37612660)

It doesn't state whether the first donut chart of browsers and exploits accounts for market share, however given then internet explorer is leading followed by firefox then chrome i would assume it doesn't (unless people select their browsers based on which is more exploitable).

Re:Accounting for market share? (0)

Anonymous Coward | more than 2 years ago | (#37612790)

Jeeze, it's like you have a vendetta against useless data, or something.

Re:Accounting for market share? (1)

houstonbofh (602064) | more than 2 years ago | (#37612902)

IE is the default browser on more systems than anything else. And even if Firefox is installed, the API calls on windows for http downloads use the IE engine, unless you go to some trouble.

Three guys beat IE!!! (1)

140Mandak262Jamuna (970587) | more than 2 years ago | (#37612664)

According to the article, IE ranks fourth! Java JRE ranks first, Adobe Flash and Adobe Pdf reader takes the next two places. I think combining these two, Adobe is the king of the hill now in being the vector of disease. Not that it is any surprise.

Java JRE issue is confusing. If the problem is with Java and specs, it should be platform independent. So it is the Windows implementation that is at fault? I don't know.

Re:Three guys beat IE!!! (1)

ColdWetDog (752185) | more than 2 years ago | (#37612728)

OTOH, you can cruise the Internet in safety and ease using the following combination:

WIndows 98
Safari for Windows
Quicktime for Windows

About the only thing you could do is run iTunes, but you would be safe!

Re:Three guys beat IE!!! (1)

daid303 (843777) | more than 2 years ago | (#37612858)

Java JRE, so, disable it. I haven't found a single site that depends on it, the add-on seems to install by default (I just want the runtime, not the browser add-on...) and only use in the browser seems to be an attack vector.

And It's not a problem with the specs I think, it's the problem that the Java JRE is huge, and a single exploit in a single feature is a problem.

Re:Three guys beat IE!!! (1)

gad_zuki! (70830) | more than 2 years ago | (#37612864)

Yep, the advice I always give is:

1. Uninstall java. Most end users never have a need for it and don't update it.

2. Use Chrome to read PDFs or Foxit. No need for Adobe, but to be fair Adobe's new sandbox model in version X is resistant to viral infections and exploits.

3. Update flash as often as it says or switch to Chrome.

4. Run MSE or some other AV.

Re:Three guys beat IE!!! (1)

LordLimecat (1103839) | more than 2 years ago | (#37612896)

Yes, people who actually deal with such issues for a living have known this for some time. The difference between browsers is rapidly becoming moot-- the market share of any one browser is too diluted to be worth targetting when compared with the widespread adoption of Flash, Java, Acrobat, and Quicktime.

There are some cases where it is conceivable that IE would be more secure than firefox, given the huge leaps made between IE6 and IE9 over the last 4 years.

Re:Three guys beat IE!!! (1)

RicktheBrick (588466) | more than 2 years ago | (#37612996)

I am getting this pop up ad for Norton anti-virus. That would not be unusual except for the fact that the only way I can see to get rid of it is to click the accept button. There is no x or a no thanks button on it. I have microsoft anti-virus and I also have Iobit windows care program and I run firefox with their pop up blocker. Even with all of that I still get that pop up. I will not accept just because they do not have a easy way to decline.

Re:Three guys beat IE!!! (1)

washu_k (1628007) | more than 2 years ago | (#37613164)

The JRE issue is simple. The JRE is being exploited to deliver Windows malware. Linux or other OSes can get "infected" by the same exploit, but since the payload code is for Windows it won't run on other OSes. The JRE is just the delivery method, it's not actually running the malware.

The big issue with Java is that while it is platform independent, it is not version independent. There are many many Java apps that require a specific version of the JRE and will not run on a newer one. So if you need to run an app that needs an old JRE you can't patch and secure your system. At a previous employer about 80% of our comprimised systems were because of Java with almost all the rest because of Adobe products. That was despite our default browser being IE6.

Update early. Update often. (2, Insightful)

mrflash818 (226638) | more than 2 years ago | (#37612670)

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash.

Update early. Update often.

Re:Update early. Update often. (1)

chispito (1870390) | more than 2 years ago | (#37612714)

When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash.

Update early. Update often.

Alternately, you could simply not use Adobe plugins.

Re:Update early. Update often. (0)

Anonymous Coward | more than 2 years ago | (#37612796)

There is no reason to have a Java browser plugin active anymore - it is a security risk and almost no legitimate websites use Java anymore. Just disable Java in the browser.

Re:Update early. Update often. (1)

networkBoy (774728) | more than 2 years ago | (#37613002)

I wish this were true.
So many enterprise apps are Java (not JS) it is frightening.
I maintain a whitelist for JVM apps allowed in the browser rather than uninstalling it. Annoying, but I can not do my job without it, nor can my wife go to school without it (on-line classes use it for the "classroom app").
-nB

Re:Update early. Update often. (1)

houstonbofh (602064) | more than 2 years ago | (#37612958)

Funny enough, while there are loads of alternative pdf readers out there, all of the alternative flash players I know of seem to be Linux only, or the windows versions are way behind. http://www.gnu.org/software/gnash/ [gnu.org] http://sourceforge.net/apps/trac/lightspark [sourceforge.net] http://swfdec.freedesktop.org/wiki/ [freedesktop.org] Perhaps this will get these projects some attention...

Re:Update early. Update often. (1)

jimicus (737525) | more than 2 years ago | (#37613510)

Alternately, you could simply not use Adobe plugins.

Let's face it, for most people that's a bit like telling them not to have sex if they don't want to get pregnant.

Entirely true, but so un-representative of the real world you might as well save your breath.

Re:Update early. Update often. (1)

i kan reed (749298) | more than 2 years ago | (#37613672)

Uninstall reader/acrobat as useless, install firefox with flashblock, adblock.
Ta-da, infection almost certainly now depends on users being morons.

I personally would like a way to tell firefox to block cross-domain anything that's not a static image. That would quash a lot of the scripts that are problematic without the hassle of noscript.

Why not link to the original report? (0)

Anonymous Coward | more than 2 years ago | (#37612686)

This is ridiculous. The link goes to a splog that has ripped off the original report, which was here:

http://www.csis.dk/en/csis/news/3321

And don't get me started on the squishiness of the numbers being thrown around.

a failure to learn. (0)

Anonymous Coward | more than 2 years ago | (#37612738)

"When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash."

What we have here is a failure to learn. It was clear from the very start that allowing random untrusted sites to run code on your system (even if in a sandboxed environment, because those sandboxes leak) is a bad, bad, bad idea. Not just the drive-by malware, but the annoyances, the privacy violations, and other crap.

Yet people STILL do it, and then bitch when the inevitable happens. It's like watching someone smack themselves in the thumb with a hammer over, and over, and over, and never seeming to learn.

There are valid uses for scripts, but not anywhere near to the extent they are used, and it should be done ONLY when you have cause to trust them, not by bloody DEFAULT.

I know, here come all the slashtards to say that the web sucks if you don't enable scripts. But it wasn't like that in the past: it BECAME like that because people failed to think, because they put up with trivial eye-candy uses of scripts that were not necessary in any sense, because they didn't push back when idiot "web designers" started to use them where simple HTML would have sufficed.

In the end, you get what you deserve. And apparently thinking is "just too hard", so people didn't do it, and now here we are: dumb people by the millions are having their machines infected just by visiting a web page. There is NO WAY that visiting a web page should be able to jack your machine. No way at all. If it does, the fault is both yours, and all the people's who put up with this trend towards using scripts for trivial things that don't need them. Now, the web is some horrlble mess of tangled cross site flash and javascript and sh*t, and people bitch that it's too hard to figure out which ones are safe to run. Well, of f*cking course. Because you LET It get that way. When the trend started, you kept cheerfully using pages that *abused* scripts for things where it wasn't needed. You failed to listen to those of us who pointed out why this was a bad, bad idea.

You get what you deserve. What you deserve, computing public, is the world we now have. Hope you like it.

Top 5 to be avoided (1)

hesaigo999ca (786966) | more than 2 years ago | (#37612746)

I guess dont use java, adobe reader or flash, or IE, and you should kill 90% of possibilities.

Re:Top 5 to be avoided (0)

Anonymous Coward | more than 2 years ago | (#37613130)

Not really. You'd need to sort by the ratio of infections per install to find the most dangerous ones.

Better statistics? (2)

SpryGuy (206254) | more than 2 years ago | (#37612754)

Looking at the graphs and statistics, I ended up wishing they'd factored in usage share, to make the numbers more meaningful.

I mean, if (say) 70% of users used XP and 30% of users use Win7, then seeing 70% of the exploits on XP and 30% of the exploits on Win7 doesn't tell you much other than there's an exploit that is the same across them. It does NOT mean that XP is more vunerable than Win7. Ditto the breakdown by browsers. Without usage share factored in, the numbers can be misleading in either direction.

Obvious strategy (0)

Anonymous Coward | more than 2 years ago | (#37612778)

after looking at the pie charts; deploy Opera on Windows 98, you'll be perfectly safe.

How Windows Get Infected With Malware 16 (1, Troll)

DRAGONWEEZEL (125809) | more than 2 years ago | (#37612780)

Simply Click HERE! [goats--damnicantdoit] ;)

What we really want is to sell you something. (0)

Anonymous Coward | more than 2 years ago | (#37612804)

"With this study CSIS has received confirmation that our security program Heimdal is addressing a market not adequately covered by a proper patch routine or policy for this area."

Wow. I am so glad Heimdal is there to save us all.

-- over the top roll of eyes --

Aweful! (0)

Anonymous Coward | more than 2 years ago | (#37612854)

That is truly one of the most poorly written articles I've read in some time.

Not much meat in TFA (2)

sl4shd0rk (755837) | more than 2 years ago | (#37612886)

User's patches not up-to-date. User got infected.

The applications the malware targets are unsurprisingly the same-ol-same-ol. Windows, Java, IE, Adobe.

Perhaps the real questions should be:
- Why is patching so ineffective?
- Why is patch frequency not decreasing over time (these are *very* mature applications) ?

Re:Not much meat in TFA (0)

Anonymous Coward | more than 2 years ago | (#37613416)

Perhaps the real questions should be:
- Why is patching so ineffective?
- Why is patch frequency not decreasing over time (these are *very* mature applications) ?

The better question is why the software such a POS.

The latest 10.x version of flash is about 4 megabytes in size. That is a very, very small program. Writing a secure version of flash wouldn't be very difficult - test & validate all the inputs, proper separation of modules, etc.

If flash wasn't such a POS, Adobe wouldn't be facing the threat of being obsolete in the face of HTML5.

Re:Not much meat in TFA (0)

Anonymous Coward | more than 2 years ago | (#37613472)

Make software makers liable for security vulnerabilities and watch what happens. You'll get stuff that makes the Space Shuttle's code look buggy.

Despite popular belief, the legal system is not a "trick" to make business for lawyers; it gives economic incentive for people and businesses not to break the law (criminal) or to act in a reckless or negligent manner that negatively impacts other people (civil). Damage award caps and immunity reduce or remove those incentives.

Re:Not much meat in TFA (0)

Anonymous Coward | more than 2 years ago | (#37613678)

Yeah, and nobody will want to buy it. It's not that you couldn't write bug free software, people would just rather buy a buggy piece of software and only spend a tenth of the money.

unfactored (0)

Anonymous Coward | more than 2 years ago | (#37612892)

this is unrealiable information.

the first chart should have been represented as a ratio to the least used browsers

same with the operating systems

and then the whole thing should be factored according to the habits of dutch people

Java JRE (2)

Bigbutt (65939) | more than 2 years ago | (#37612906)

Unfortunately I run into areas where I am unable to upgrade the JRE due to incompatibilities with newer versions. For instance, in dealing with a Dell DRAC, the old Chassis says it'll support 1.4_5 something or other or newer. The problem is with the exact version it works fine but upgrading JRE on my system causes it to fail and refuse to start up the console java app. So I have a Windows laptop at my desk that is kept at that specific version of the JRE so I can continue to access the chassis until it's replaced. It's just one example but it's one I have to deal with on a periodic basis.

[John]

Similar: Dan Guido's Exploit Intelligence Project? (0)

Anonymous Coward | more than 2 years ago | (#37612950)

This research is oddly similar to Dan Guido's Exploit Intelligence Project. Even the ring/pie charts. Although, to CSIS's credit, they did invert the colors for Java and Flash in the donut chart.

http://www.isecpartners.com/storage/docs/presentations/EIP-final.pdf

Anyway, I've seen Dan Guido give the EIP lecture a couple of times, and unless I'm mistaken, he draws many of the same conclusions.

Java and Adobe need automated silent updates (1)

sandytaru (1158959) | more than 2 years ago | (#37612962)

They need to incorporate the option of turning on automatic, silent upgrades like Google Chrome has - many end users don't recognize the "Hey I've got an update" balloons on their machines, and just ignore them until they wind up several versions out of date. Also, Adobe needs to cut out this "reboot required" nonsense for Adobe Reader. Not everyone is able to reboot machines at a drop of a hat, and it's annoying to have to schedule a reboot on a server for a program that didn't require a reboot for installation and is only used once every few months. (I seriously update Adobe more than I use it on many machines.)

Re:Java and Adobe need automated silent updates (1)

goldspider (445116) | more than 2 years ago | (#37613296)

I don't know about Flash, but Java can be set to auto-update.

Re:Java and Adobe need automated silent updates (1)

AtomicJake (795218) | more than 2 years ago | (#37613524)

Silent updates is the worst idea ever. Something that worked yesterday, stops working today - and I have no clue why.
It is OK for some users to enable automatic updates (e.g. if you use only a Web browser and no specific plugins), but even then: Make the users aware about each update. Most users are far better off with a planned update.

Re:Java and Adobe need automated silent updates (0)

Anonymous Coward | more than 2 years ago | (#37613702)

Also, Adobe needs to cut out this "reboot required" nonsense for Adobe Reader...

This is true a hundred times over. It is especially annoying when you realize that the only reason for this reboot is to reinitialize their crappy framework.

Injection and Payload (1)

Synerg1y (2169962) | more than 2 years ago | (#37613154)

It looks like they were mainly studying browser based attacks, the CVE's I looked up all had to do with browser code injection, along those lines.

They go on to state 85% of virus infections (do they mean malware / spyware?) are caused by drive by attacks (website exploits)

I'm not sure of and am to lazy to look up the actual figures, but I would dedicate that 85% to email based attacks, not Nigerian scams, but infected attachments, embedded code, etc.

Oh well, I'm demoting the scope of these statistics to browsers only...

and also state that I believe WIndows gets infected buckets more by email based attacks for many reasons including the ease of guessing email addresses on a domain, as well as user trust that who is sending them the email knows their email so they may know them, etc...

Salient point: (1)

aepervius (535155) | more than 2 years ago | (#37613174)

http://www.net-security.org/images/articles/102011-infection.jpg [net-security.org]

Avoid Java, Flash, acrobat and IE Explorer and you avoid around 95+% of the entry points. IOW it does not seem to be opera or mozilla which is vlnerable, but the added cruft plug in.

How Long Will it Take (0)

Anonymous Coward | more than 2 years ago | (#37613334)

How long will it take for people to realize you can't protect idiots from themselves? You don't even need anti-virus if you don't open stupid shit. Stop downloading free screensavers, don't open shit people send you unless you know they really sent it and they're not a virus-infested mess, don't use IE, and you're pretty safe. I haven't had an infection in years and I have no active anti-virus. I check periodically with online scanners, but nothing ever appears.

That articles is just an ad... (0)

Anonymous Coward | more than 2 years ago | (#37613422)

...for their security software, though, they make some valid points about security patches being updated. It just gives the article a veneer of poo with the plug at the end.

Summary of the article (1)

rabtech (223758) | more than 2 years ago | (#37613564)

TL;DR:

The majority of infections are (in order): JRE, Acrobat Reader, Flash, and a minority are actual browser exploits and/or Quicktime exploits. No word on the versions but I expect that they are all well-known and long-patched holes.

Part of the reason I run with Java disabled, Flashblock installed, etc.

Forced updates needed (1)

mrshermanoaks (921067) | more than 2 years ago | (#37613604)

Unless you force users to update software before continuing to use it, they will nearly always pick the "remind me later" option. Updates to packages like these need to be automatic and enforced for all but the most managed of users, or this problem will just go on forever.

It this issue affected only the individual users, it would be one thing. But the fact that clicking the "remind me later" has a disastrous effect across society means that you can't just rely on people to do the smart thing. They won't. They'll do the quick, easy thing.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>