Windows Security

Vulnerabilities in Windows

Windows Updates & Service Packs - Web Browsers Weaknesses
E-mail Weaknesses - More About Security Issues

This Affects All Windows Users

While the information on this page may not be light reading I recommend that you peruse it. To ignore it is to do so at your own peril.

If you are not running at least Windows XP, I recommended that you immediately to Windows XP with Service Pack 3 or to an alternative operating system, particularly if your computer is used on the Internet (and most are these days).

Windows Updates & Service Packs

Install Windows Updates & Service Packs

Support Discontinued for Older Windows

Microsoft discontinued support for Windows 98/98SE/Me on July 11, 2006 and support for Windows XP is dependent upon the service pack installed. The fact that most security software requires a minimum of Windowx XP with Service Pack 3 should tell you about the risks of earlier versions and unpatched systems.

Install and Run Automatic Windows Updates

While it is possible to continue to download updates or check for them manually, there is no reason to do so in these days of always-connected computers. Automatic Windows Updates ensure that you get timely updates. Many vulnerabilities are used by unscrupulous folks even if the vulnerablility is not announced when a patch (update) is released.

Personal Choices are Important

There are a multitude of choices that you make (or can make) that will affect how secure your computer is. These can affect your privacy and the safety of your children while on-line.

You will find Bruce Schneier's discussion about Safe Personal Computing informative.

Beware of the Human Factor

People are too trusting of any warning that appears on their computer, particularly when visiting web sites with their browser. Virtually all scanners that suddenly appear on your screen wanting about hundreds of vulnerabilities on your computer are scams. The exception would be when you visit legitimate sites and run their software (after asking you first). Of course, it is difficult for many to determine what a legitimate site looks like.

Check my Recommended Windows Software for some suggestions. Reading through my Self-Help Resources pages should help to educate you about many of the factors in learning to protect yourself on-line.

Don't forget that anyone with physical access to your computer can make changes to Windows or visit areas on the Web that pose a risk to your computer. This includes using CDs, DVDs and other devices like USB thumb drives with unknown content.

Some computer systems have been exploited by mailing CDs or leaving USB devices in a company parking lot. Someone is going to plug them into their computer and release whatever troublesome gremlins installed on those devices!

There are Windows Alternatives

Other operating systems such as Linux and Apple Macintosh offer fewer problems when it comes to virus propagation and other security issues. This is partly due to their relative smaller footprint in the computer world and partly due to better design.

For instance, Linux offers a breakdown of what is permitted when the system is being run under the root (administrator) password and what is permitted for other users. Having to login as root (or superuser) to do installs and settings changes is one reason why Linux is perceived to be "harder to use" than Windows.

Be Aware of the Trade-offs

An Analogy

Windows was built to be easy to use, with security apparently a casual afterthought, at least in versions earlier than Vista. Consider the following analogy when deciding that "easier is better" in your computing experience:

Using Internet Explorer in Windows is like leaving your car parked downtown overnight with the doors unlocked, the windows rolled down and the keys in the ignition, then wondering why your car is gone in the morning.

While it may be inconvenient to install updates and use alternatives to the tightly intertwined (and therefore mutually-vulnerable) Microsoft programs, you might consider why your car has those inconvenient locks and seatbelts. Cars once had neither, yet they were installed for a very good reason.

Easier is Not Necessarily Better

James Gleick illustrates the power of scripts in an article discussing some of the Windows vulnerabilities exploited by the I Love You virus. Social engineering is such that we are more likely to open an e-mail (or click on a advertising link) that either appeals to our need for approval or to our fears.

Dangers of Administrator Privileges

The trade-off is between security and ease of use. While some of this control of functionality is included in Windows XP there are some decisions that have been made that increase overall risk. Also, many standard XP home computers have only one account, which includes all the administrator privileges. Typically Linux users are much more aware of these dangers and tend to create a separate user account from the administrator account.

Vista's User Account Control

Windows Vista users are very familiar with the User Account Control (UAC) which became known for its intrusive nature. However, remember that we put up with the inconvenience of seatbelts and similar safety features on our cars — much for the same reason. Windows 7 is somewhat less intrusive and it is easier to choose a level of security, but you can do so at your own peril in the same manner as deciding to now wear a seatbelt if you are in a serious collision.

While Windows is less secure than Linux this allows for easier installs, upgrades and exchange of information. Linux also has it's vulnerabilities, though fewer in number.

Always Install Windows Critical Updates

This section discusses some of the areas that you can address to improve the security of your Windows system.

To protect yourself from many of these vulnerabilities make sure you have the latest security patches for Windows and Office products you have installed:

Windows 7 users cannot connect to Windows Update on the Microsoft site (this may be true for some other users as well). Instead, click the Start button, click All Programs, and then click Windows Update.

Weekly Maintenance Routine

This should be part of your weekly maintenance routine. You should maintain the updates to Internet Explorer (IE) even if you use another browser since IE is so tightly integrated into the Windows operating system.

Weekly a Bare Minimum

A study conducted by Symantec, best know for Norton Antivirus, determined that the time from release of a patch and the release of malicious code to exploit it is was only 5.8 days in the first half of 2004. This makes a weekly update a bare minimum. I assure you that the Internet has only become less friendly since then.

Windows Critical Updates

Windows has a Windows Critical Updates notification/installation utility (at leaat in the versions you should be running while connected to the Internet). I'd suggest at least being notified (the downloads can consume a great deal of your bandwidth if you are on dialup or on a low-speed connection of any type) and install them as soon as you are able. Delays can be costly. High-speed users should use Automatic Windows Updates.

Windows Updates Options

There are three sections that show up in Windows Update:

Always install the Critical Updates and Service Packs when available. These are considered vital to the safety of your Windows system.

The Windows Updates can be chosen to deal with particular issues you may be having. If you have no need for the particular updates, don't install them.

Driver Updates Alternatives

Driver Updates may fix a problem with hardware, but I have had some Microsoft driver updates corrupt Windows installations so you might wish to go to the component manufacturer's site for an update. This has been particularly true for some video driver updates but can be fixed in Windows XP and later with the System Restore feature.

Disable ActiveX

ActiveX is a proprietary alternative to Java designed to enhance the performance of programs and to allow for easier upgrades to the Windows operating system. However, the lack of security allows destructive programs to use this feature to access areas of your computer that they wouldn't otherwise be able to attack.

Java Safer

The main difference between ActiveX and Java are the permissions available to the script. ActiveX can essentially access any area of your computer. Java is more restricted in its ability to access critical areas of your system so a rogue Java script can do less potential damage than a rogue ActiveX control.

More About ActiveX Vulnerabilities

Read more about ActiveX and the dangers it can present:

How to Disable ActiveX

To disable ActiveX follow this procedure:

Note: If you completely disable ActiveX you will need to re-enable ActiveX if you want to obtain technical support or upgrades and fixes on Microsoft's site (including Windows Update).

Use Another Browser

The Prompt option will give you the option to run or not run the controls for any web site you enter. This will be less of a bother if you are using another browser (recommended) as your primary web surfing tool than if Internet Explorer is your primary browser.

Where You Can Trust ActiveX

Just remember that ActiveX should only be trusted to the extent that you would trust the owner of the site you are visiting. I'd suggest disabling unsigned ActiveX controls and those not marked as safe and be prompted for the rest.

Easier is Not Necessarily Better

One of the methods used by Windows operating systems to achieve this communication between programs is Visual Basic Script (VBS). Not everyone needs to have VBS enabled. You can disable it following the procedures offered on the F-Secure site. There are instructions for removing Windows Scripting Host on Windows 95, 98, 2000 and NT systems.

Return to top

More About Security Issues

The following related pages offer more information about security:

Return to top

www.RussHarvey.bc.ca/resources/windowssecurity.html
Updated: December 17, 2009