Vulnerabilities in Windows
All Windows Versions are Vulnerable
Ignore Windows security at your own peril.
Beware of the Human Factor
People are too trusting of any warning that appears on their computer, particularly when visiting websites with their browser.
James Gleick illustrated this human factor in an article discussing some of the Windows vulnerabilities exploited by the I Love You virus. We are more likely to open an email (or click on a advertising link) that appeals to our need for approval or caters to our fears.
The exception would be when you visit legitimate sites and run their software (after asking you first). Of course, it is difficult for many to determine what a legitimate site looks like.
No, It's Not Microsoft Phoning You
If you receive a phone call telling you that your computer is at risk, hang up.
They are NOT Microsoft (or anyone legitimate) NOR are they trying to help you. Their goal? To get you to:
- divulge information about your computer;
- open an exploitive website using your browser; or
- provide your credit card information for the "help" you're given.
Your best solution is to simply hang up.
Educate Yourself About the Risks
Guard Physical Access to Your Computer
Anyone with physical access to your computer can make changes to Windows or visit areas on the Web that pose a risk to your computer. That physical access can be through malicious software on a removable storage device.
Computer systems have been exploited by mailing CDs or leaving USB thumb drives in a company parking lot. Someone is going to plug them into their computer and release whatever troublesome gremlins are installed!
Windows "Ease-of-Use" is a Trade-off
Windows was built to be easy to use, with security apparently a casual afterthought — at least in versions earlier than Vista. The trade-off is between security and ease of use.
Two Analogies: Apartments and Vehicles
Consider the following analogies when deciding that "easier is better" in your computing experience:
Using Internet Explorer in Windows is like leaving your car parked downtown overnight with the doors unlocked, the windows rolled down and the keys in the ignition, then wondering why your car is gone in the morning.
Installing updates and alternatives to programs built into Windows is inconvenient, but consider why your car has those inconvenient locks and seat belts. Cars once had neither, yet they are now installed — for a very good reason.
The front door key to an apartment building is the same for everyone. What if the building supervisor provided the same key for every apartment and allowed you to think that your apartment key was unique? Access for maintenance would be easier, but your unit's physical security would be severely compromised.
Similarly, various Windows components and Microsoft Office products are highly integrated, making everything function smoothly. Because of that interoperability, weaknesses in one program (or component) can quickly spread to others.
For example, vulnerabilities in Internet Explorer spread to Outlook because components of IE were used to display the HTML (or “enhanced”) email content. Microsoft “fixed” this by making MS Word responsible for the HTML content.
I've recommended email programs and web browsers that don't integrate with Windows to prevent that sort of weakness.
The Dangers of Administrator Privileges
Most Windows computers only have one account that runs with full administrator privileges.
However, most Linux users are much more aware of these dangers and tend to create a separate user account from the administrator account. Changes to the system require the administrator's password, even in the basic Linux install.
Vista's User Account Control
Windows Vista users are very familiar with the User Account Control (UAC) which became known for its intrusive nature. Windows 7 is somewhat less intrusive and allowed the user to choose a lesser level of security, leaving you more vulnerable. Degrading the security level is riskier, like deciding to buckle up your seat belt after you are in a serious car collision.
While Windows is less secure than Linux this allows for easier installs, upgrades and exchange of information although recent versions of Linux provide a much easier interface even for beginners.
Vulnerabilities Are Relative
Beware of comparisons of how many vulnerabilities rather than the severity of the security breach. One serious system-wide vulnerability can be much more dangerous than dozens of small potential weaknesses.
Always Install Windows Critical Updates
This section discusses some of the areas that you can address to improve the security of your Windows system.
To protect yourself from many of these vulnerabilities make sure you have the latest security patches for Windows and Office products you have installed:
- Windows 7 and Vista users will find Windows Update in the Control Panel (open the Control Panel then select Windows Update).
* Internet Explore is required for Windows Update. Windows 7 users will see a note about using the built-in support for Windows Update if they visit Microsoft's update sites.
Is Your System Mission Critical?
Microsoft tends to run all their updates once a month on “patch Tuesday.” The downside to this is that some updates in large batches can create problems (thankfully, relatively rare).
For this reason, some administrators of “mission critical” systems wait to find out if there are problems with patches before updating. This is not recommended for home users because downtime due to such problems are an inconvenience, not something that will put lives or critical systems in jeopardy.
Weekly Maintenance Routine
Updates should be part of your weekly maintenance routine. You should maintain the updates to Internet Explorer (IE) even if you use another browser since IE is so tightly integrated into the Windows operating system.
As well as updates to Windows, you should be checking your other security software (firewalls, antivirus and anti-spyware software) as well as updates for all the programs on your computer.
Daily Security Updates a Bare Minimum
You should be updating your security software at least daily — I recommend that you update several times a day. In the case of a serious attack, hourly updates may save your programs and data from ruin.
A 2004 study conducted by Symantec, best know for Norton Antivirus, determined that the time from release of a patch and the release of malicious code to exploit it is was only 5.8 days. At that time, weekly updates were a bare minimum. I assure you that the Internet has only become less friendly since then.
Windows Critical Updates
Windows has a Windows Critical Updates notification/installation utility. Most users should use Automatic Windows Updates.
I'd suggest at least being notified if you are on a low-speed connection of any type and install them as soon as you are able. Delays can be costly.
Windows Updates Options
Windows Updates are classified as Important updates and Recommended updates.
Always install the Critical Updates and Service Packs when available. These are considered vital to the safety of your Windows system.
Recommended Windows Updates may deal with specific issues some users are having. If you have no need for the particular updates, don't install them.
Windows Update can also check for updates to Microsoft Office (more current versions only). Windows 7 and later automatically downloads updates and doesn't use Internet Explorer directly to provide these.
Driver Updates Alternatives
Driver Updates may fix a problem with hardware, but I have experienced some Microsoft driver updates corrupting my Windows installations. You might wish to go to the component manufacturer's site to check for an update, particularly for video driver updates. System Restore provides a recovery solution if such a problem arises.
There are Windows Alternatives
This is partly due to their relative smaller footprint in the computer world and partly due to better design. There has been more vulnerabilities in Apple computers since they've gained in popularity, so you should check for security solutions specific to your operating system to be safe.
There are also lesser-known operating systems that may prove suitable to your needs.
Vulnerabilities Still Exist
All software (including operating systems) have vulnerabilities. Even if you move to an alternate to Windows you'll have to update and monitor vulnerabilities.
Moving from Windows also means you'll experience a learning curve, but perhaps that is an acceptable cost.
ActiveX: A Potential Security Risk
There's nothing wrong with ActiveX as long as you trust completely the guy who wrote it, says research scientist Gary McGraw of Reliable Software Technologies.
But it's like leaving your office to go to lunch and running into some guy who says he'd really like to use your computer for the next hour, and letting him sit and do whatever he likes while you're away. But as far as running trusted code, it's a very powerful and useful technology.
— quoted on CNET News
Should I Install ActiveX Controls?
Maybe. You should be cautious about installing ActiveX controls, sometimes called addons, on your computer, even if they have a valid digital signature. While ActiveX controls can enhance web browsing, they might also pose a security risk, and it's best to avoid using them if the webpage will work without them. However, some websites or tasks might require them, and if the content or task is important to you, you will have to decide whether to install the ActiveX control.
Microsoft suggests that before installing an ActiveX control, you should consider the following:
- Were you expecting to receive this control?
- Do you trust the website providing the control?
- Do you know what the control is for and what it will do to your computer?
See the following Microsoft resources for more about ActiveX:
- Should I install ActiveX controls?
- What is an ActiveX control?.
- Protect yourself when you use ActiveX controls.
Java is Safer
Underlying the Java SE Platform is a dynamic, extensible security architecture, standards-based and interoperable. Security features — cryptography, authentication and authorization, public key infrastructure, and more — are built in. The Java security model is based on a customizable 'sandbox' in which Java software programs can run safely, without potential risk to systems or users.
— Java SE Security
That is not to say that Java has no vulnerabilities. Java is one of the three most common vulnerabilities (the other two being Adobe Flash and Adobe Reader) which is why Firefox disables Java by default (recommended).
Always remove older versions of Java so that you're not exposing your computer to vulnerabilities that have been patched with more recent updates.
Restrict the Use of Internet Explorer
I strongly recommend that you DON'T use Internet Explorer to surf the Web. It is rarely required elsewhere (a couple of exceptions are Microsoft FixIt solutions and some Symantec utilities).
Instead, I recommend Firefox as your primary browser.
The Firefox add-on IE View allows you to launch the current Firefox page in Internet Explorer (Windows only), allowing you to use Firefox without worrying that you'll come onto a page that requires Internet Explorer.
Updated: September 4, 2014