Windows Security

Vulnerabilities in Windows

Windows Updates/Service Packs | Alternatives to Windows | ActiveX
Disabling Visual Basic | More About Security Issues

This Affects All Windows Users

While the information on this page may not be light reading, you ignore it at your own peril.

If you are not running at least Windows XP with Service Pack 3 (SP3) installed, I recommended that you immediately upgrade or move to Windows 7

Don't buy Vista if you can avoid it, but if you are already running Vista, ensure you are running the latest Service Pack (SP2 at the time this was written).

If your computer is too old to upgrade, purchase a new computer to take advantage of newer hardware capabilities or install an alternative operating system, particularly if your computer is used on the Internet (and most are these days).

Windows Updates & Service Packs

Install Windows Updates & Service Packs

Support Discontinued for Older Windows

Microsoft has discontinued support for Windows 98/98SE/Me on July 11, 2006 and all support for Windows 2000 will end on July 13, 2010.

When support is discontinued for a version of Windows, it means that Microsoft will no longer provide support or security updates, leaving your computer more vulnerable than a currently supported version of Windows with the recommended security updates and service packs (SP) installed.

You can get information about the service life of any Microsoft product on their Select a Product for Lifecycle Information page. The full list of Windows versions is available on a separate page.

The fact that most security software requires a minimum of Windows XP with Service Pack 3 should tell you about the risks of earlier versions and unpatched systems:

Install and Run Automatic Windows Updates

While it is possible to continue to download updates or check for them manually, there is no reason to do so in these days of always-connected computers. Automatic Windows Updates ensure that you get timely updates. Many vulnerabilities are used by unscrupulous folks even if the vulnerability is not announced when a patch (update) is released.

Personal Choices are Important

There are a multitude of choices that you make (or can make) that will affect how secure your computer is. These can affect your privacy and the safety of your children while on-line.

You will find Bruce Schneier's discussion about Safe Personal Computing informative.

Beware of the Human Factor

People are too trusting of any warning that appears on their computer, particularly when visiting web sites with their browser. Virtually all scanners that suddenly appear on your screen wanting about hundreds of vulnerabilities on your computer are scams. The exception would be when you visit legitimate sites and run their software (after asking you first). Of course, it is difficult for many to determine what a legitimate site looks like.

Check my Recommended Windows Software for some suggestions. Reading through my Self-Help Resources pages should help to educate you about many of the factors in learning to protect yourself on-line.

Don't forget that anyone with physical access to your computer can make changes to Windows or visit areas on the Web that pose a risk to your computer. This includes using CDs, DVDs and other devices like USB thumb drives with unknown content.

Some computer systems have been exploited by mailing CDs or leaving USB devices in a company parking lot. Someone is going to plug them into their computer and release whatever troublesome gremlins are installed on those devices!

Be Aware of the Trade-offs of "Ease-of-Use" with Windows

An Analogy

Windows was built to be easy to use, with security apparently a casual afterthought — at least in versions earlier than Vista.

Consider the following analogy when deciding that "easier is better" in your computing experience:

Using Internet Explorer in Windows is like leaving your car parked downtown overnight with the doors unlocked, the windows rolled down and the keys in the ignition, then wondering why your car is gone in the morning.

While it may be inconvenient to install updates and use alternatives to the tightly intertwined (and therefore mutually-vulnerable) Microsoft programs, you might consider why your car has those inconvenient locks and seat belts. Cars once had neither, yet they were installed for a very good reason.

Easier is Not Necessarily Better

James Gleick illustrates the power of scripts in an article discussing some of the Windows vulnerabilities exploited by the I Love You virus. Social engineering is such that we are more likely to open an email (or click on a advertising link) that either appeals to our need for approval or to our fears.

Dangers of Administrator Privileges

The trade-off is between security and ease of use. While some of this control of functionality is included in Windows XP there are some decisions that have been made that increase overall risk.

Many Windows home computers have only one account, which includes all the administrator privileges (particularly with Windows XP and older versions).

Typically Linux users are much more aware of these dangers and tend to create a separate user account from the administrator account, but even the basic Linux install is more secure.

Vista's User Account Control

Windows Vista users are very familiar with the User Account Control (UAC) which became known for its intrusive nature. Windows 7 is somewhat less intrusive and it is easier to choose a level of security, but you can do so at your own peril in the same manner as deciding to now wear a seat belt if you are in a serious collision.

While Windows is less secure than Linux this allows for easier installs, upgrades and exchange of information. Linux also has it's vulnerabilities, though fewer in number.

Always Install Windows Critical Updates

This section discusses some of the areas that you can address to improve the security of your Windows system.

To protect yourself from many of these vulnerabilities make sure you have the latest security patches for Windows and Office products you have installed:

Windows 7 users cannot connect to Windows Update on the Microsoft site (this may be true for some other users as well). Instead, click the Start button, click All Programs, and then click Windows Update.

Weekly Maintenance Routine

Updates should be part of your weekly maintenance routine. You should maintain the updates to Internet Explorer (IE) even if you use another browser since IE is so tightly integrated into the Windows operating system.

As well as updates to Windows, you should be checking your other security software (firewalls, antivirus and anti-spyware software) as well as updates for all the programs on your computer.

Weekly a Bare Minimum

You should be updating your security software at least daily — many now update several times a day. In the case of a serious attack, hourly updates may save your programs and data from ruin.

A study conducted by Symantec, best know for Norton Antivirus, determined that the time from release of a patch and the release of malicious code to exploit it is was only 5.8 days in the first half of 2004. This makes a weekly update a bare minimum. I assure you that the Internet has only become less friendly since then.

Windows Critical Updates

Windows has a Windows Critical Updates notification/installation utility (at least in the versions you should be running while connected to the Internet). I'd suggest at least being notified (the downloads can consume a great deal of your bandwidth if you are on dialup or on a low-speed connection of any type) and install them as soon as you are able. Delays can be costly. High-speed users should use Automatic Windows Updates.

Windows Updates Options

There are three sections that show up in Windows Update:

Always install the Critical Updates and Service Packs when available. These are considered vital to the safety of your Windows system.

The Windows Updates can be chosen to deal with particular issues you may be having. If you have no need for the particular updates, don't install them.

Windows Update has also been replaced with a more comprehensive Microsoft Update which checks for updates to Microsoft Office (more current versions only). As noted above, Windows 7 automatically downloads updates and doesn't use Internet Explorer directly to provide these.

Driver Updates Alternatives

Driver Updates may fix a problem with hardware, but I have had some Microsoft driver updates corrupt Windows installations so you might wish to go to the component manufacturer's site for an update. This has been particularly true for some video driver updates but can be fixed in Windows XP and later with the System Restore feature.

Return to top

Alternatives to Windows

There are Windows Alternatives

Other operating systems such as Linux and Apple's Macintosh offer fewer problems when it comes to virus propagation and other security issues. This is partly due to their relative smaller footprint in the computer world and partly due to better design. There are also lesser-known operating systems that may prove suitable to your needs.

Linux Distributions

Ubuntu Recommended

I strongly recommend Ubuntu, a FREE Linux operating system that is very easy to install and use, particularly if you don't run sophisticated Windows-based games. It will run faster than Windows on a comparable system and comes pre-installed with most of the software you'll need, including Firefox browser and Open Office, a powerful free alternative to Microsoft Office.

Netbook Remix

Ubuntu also comes in a version specifically designed for netbooks (those small laptop alternatives). The Netbook Remix is designed for the smaller screens of the newer portable mini-laptops. It has a different installer too, since there is no built-in CD/DVD player in these machines. Unlike Windows 7 basic, it is not a crippled operating system.

Many Flavours

While I like and recommend Ubuntu for ease of install and use, there are other distributions (distros/flavours) of Linux you can try. Be aware, however, that if you are familiar with Windows and not with Linux, there will be a learning curve.

Easy to Upgrade

Other software is downloaded and installed using an automatic packager. For example, I prefer Thunderbird to the pre-installed Evolution email program, but that is a preference based upon my familiarity with Thunderbird installed on Windows.

Unlike Windows, you can automatically upgrade a current version of Linux to the next version for FREE and, in most cases, without reinstalling everything.

Try it Without Installing It

You can even try Linux without installing it by booting from a "live CD" — which is easy to download as a disk image (ISO) and create a CD using existing Windows or Linux software. Most features are present, including the ability to surf the web, connect to a wired or wireless network, view or print a Word document and playing a video.

Easy to Use

Linux is often perceived to be "harder to use" than Windows. This is partly because it requires the use of a password to install and upgrade components (something that Vista and Windows 7 users will be more familiar with).

However, just as with Windows, everything is pretty much as automatic in current versions of Linux. In fact, it would be fairer to compare these older versions of Linux to DOS.

Potential Learning Curve

If you are familiar with Windows and not with Linux, there will be a learning curve. You will also have to abandon most of your Windows software, although free alternative exist for most applications and more sophisticated users can us Windows emulators (e.g. WINE) to run many Windows applications directly in Linux.

Get More Information

Get more information about the various distributions of Linux.

The Mac

Apple's Macintosh (the Mac) has become very popular with people tired of the battle with viruses and other issues with Microsoft Windows products. Apple controls both the hardware and the software production so there are fewer issues with support for obsolete technology and the interface is known for ease-of-use.

New Computer Required

Because Apple combines hardware with software, you'll need to purchase a new computer to run the Apple operating system unless you are already running an upgradable version of the Mac OS.

Potential Learning Curve

Again, if you are familiar with Windows and not with the Mac, there will be a learning curve. You'll have to purchase new versions of many of your software products although much of that will be obsolete if you're abandoning Windows because your hardware is obsolete. Also, there are Windows emulators which can be used in the Mac environment.

Macs Generally Cost More

A Mac also tends to cost more than Windows-based computers so be sure to compare with a comparably-priced Windows system if you decide to determine if the Mac is for you.

Get More Information

Get more information about Apple Macintosh.

Return to top

ActiveX: A Potential Security Risk

“There's nothing wrong with ActiveX as long as you trust completely the guy who wrote it, says research scientist Gary McGraw of Reliable Software Technologies.“
 

“But it's like leaving your office to go to lunch and running into some guy who says he'd really like to use your computer for the next hour, and letting him sit and do whatever he likes while you're away. But as far as running trusted code, it's a very powerful and useful technology.”
— quoted on CNET News

About the Information in this Section

Information in this section will inform you about the potential risks of using ActiveX. Microsoft has pursued .NET as an alternative to ActiveX as a result of these issues, but it doesn't hurt to be aware of the risks.

Recommend Disabling ActiveX

ActiveX is a proprietary alternative to Java designed to enhance the performance of programs and to allow for easier upgrades to the Windows operating system. However, the lack of security allows destructive programs to use this feature to access areas of your computer that they wouldn't otherwise be able to attack.

Java or ActiveX

Java Safer

The main difference between ActiveX and Java are the permissions available to the script. ActiveX can essentially access any area of your computer. Java is more restricted in its ability to access critical areas of your system so a rogue Java script can do less potential damage than a rogue ActiveX control.

A Historical Look at ActiveX Vulnerabilities

Read more about ActiveX and the dangers it can present. These pages are quite dated, but will help you to understand the issues involved.

Where You Can Trust ActiveX

Just remember that ActiveX should only be trusted to the extent that you would trust the owner of the site you are visiting. I'd suggest disabling unsigned ActiveX controls and those not marked as safe and be prompted for the rest.

How to Disable ActiveX

To disable ActiveX follow this procedure:

Note: If you completely disable ActiveX you will need to re-enable ActiveX if you want to obtain technical support or upgrades and fixes on Microsoft's site (including Windows Update).

The Prompt option will give you the option to run or not run the controls for any website you enter. This will be less of a bother if you don't use Internet Explorer is your primary browser.

Use Another Browser

Firefox Recommended

I strongly recommend that you use another browser (Firefox recommended) to surf the web. Only use Internet Explorer for Windows Update and where absolutely necessary. The IE View Firefox addon allows you to launch the current Firefox page displayed in Internet Explorer (Windows only), allowing you to use Firefox without worrying that you'll come onto a page that requires Internet Explorer (a rare event these days).

Return to top

Disabling Visual Basic Script

Older Windows Only — Most Users Not Affected Any Longer

Windows 95/98/Me/NT/2000 Only

One of the methods used by older Windows operating systems (Windows 95, 98, 2000 and NT systems) to achieve this communication between programs is Visual Basic Script (VBS). Since support for Windows 98/98SE/Me ended July 11, 2006 and support for Windows 2000 will end on July 13, 2010 (a few months from the time this was written), this issue will not affect many viewers.

It is strongly recommended that users running these versions of Windows upgrade immediately to Windows XP with SP3 or Windows 7 or install an alternative operating system, particularly if your computer is used on the Internet (and most are these days).

How to Disable VBS

However, you can disable VBS by following the procedures offered on the F-Secure site. There are instructions for removing Windows Scripting Host on Windows 95, 98, 2000 and NT systems.

Return to top

More About Related Issues

Protecting Your Online Identity

The following related pages offer more information about protecting your online identity:

Securing Your Computer

The following related pages offer more information about securing your computer:

Windows Basics

These pages give an overview of Windows, its versions history and expected life-cycle as well as concepts and terminology:

Return to top

www.RussHarvey.bc.ca/resources/windowssecurity.html
Updated: February 1, 2012