Vulnerabilities in Windows
This Affects All Windows Users
While the information on this page may not be light reading, you ignore it at your own peril.
Windows 7 is more secure and runs well on the more recent computers designed for Windows XP and Vista.
- Windows XP users not running at least Windows XP with Service Pack 3 (SP3) installed should immediately upgrade or move to Windows 7 or Windows 8.
- Avoid Windows Vista if you can, but if you are already running Vista, ensure you are running the latest Service Pack (SP2).
- If your computer is too old to upgrade, purchase a new computer to take advantage of newer hardware capabilities.
- Alternatively, install an alternative operating system, particularly if your computer is used on the Internet (most are these days).
Windows Updates & Service Packs
Install Windows Updates & Service Packs
Support Discontinued for Older Windows
When support is discontinued for a version of Windows, it means that Microsoft will no longer provide support or security updates, leaving your computer more vulnerable than a currently supported version of Windows with the recommended security updates and service packs (SP) installed.
There are two types of support:
- Mainstream support is provided to home and commercial users.
- Extended support is available to commercial customers only*.
Microsoft has discontinued support for the following versions of Windows:
- All support for Windows 98/98SE/Me expired on July 11, 2006; and
- All support for Windows 2000 expired on July 13, 2010.
- Mainstream support for Windows Vista expired on April 10, 2012.
Support Expiration for Current Windows
See the Windows Life-cycle of Support section on the Microsoft Windows page for current information about support for various version of Windows and for explanations of the terms used.
- You can get information about the service life of any Microsoft product on their Select a Product for Lifecycle Information page.
- The full list of Windows versions is available on a separate page.
Ensure Your Windows is Current
The fact that most security software requires a minimum of Windows XP with Service Pack 3 (or Vista SP2) should tell you about the risks of earlier versions as well as unpatched systems:
- If you are running Windows XP, upgrade immediately to Service Pack 3, a free update.
- If you are running a bootleg (illegal) copy of Windows XP the new Genuine Advantage program will deny updates to you. Obtain a legitimate license from Microsoft or see your vendor to rectify the issue.
- If a hardware upgrade is needed, you'd best consider a new computer.
- If your computer hardware will not support Windows XP with SP3 or isn't running Windows XP and you can't purchase a new computer, you'll want to look at installing another operating system like Ubuntu, a FREE operating system that is very easy to install and use.
Install and Run Automatic Windows Updates
While it is possible to continue to download updates or check for them manually, there is no reason to do so in these days of always-connected computers. Automatic Windows Updates ensure that you get timely updates. Many vulnerabilities are used by unscrupulous folks even if the vulnerability is not announced when a patch (update) is released.
Personal Choices are Important
There are a multitude of choices that you make (or can make) that will affect how secure your computer is. These can affect your privacy and the safety of your children while on-line.
You will find Bruce Schneier's discussion about Safe Personal Computing informative.
Beware of the Human Factor
People are too trusting of any warning that appears on their computer, particularly when visiting web sites with their browser.
The exception would be when you visit legitimate sites and run their software (after asking you first). Of course, it is difficult for many to determine what a legitimate site looks like.
It's Not Microsoft Phoning You
If you receive a phone call telling you that your computer is at risk, hang up.
No matter who they say they are, they aren't there to help you. The intent is to get you to
- divulge information about your computer;
- open an exploitive website using your browser; or
- provide your credit card information for the "help" you're given.
Your best solution is to simply hang up.
Educate Yourself About the Risks
Check my Recommended Windows Software for some suggestions. Reading through my Self-Help Resources pages should help to educate you about many of the factors in learning to protect yourself while online.
Guard Physical Access to Your Computer
Don't forget that anyone with physical access to your computer can make changes to Windows or visit areas on the Web that pose a risk to your computer.
This includes using CDs, DVDs and other devices like USB thumb drives with unknown content. Some computer systems have been exploited by mailing CDs or leaving USB devices in a company parking lot. Someone is going to plug them into their computer and release whatever troublesome gremlins are installed on those devices!
Be Aware of the Trade-offs of "Ease-of-Use" with Windows
Windows was built to be easy to use, with security apparently a casual afterthought — at least in versions earlier than Vista.
Consider the following analogies when deciding that "easier is better" in your computing experience:
Using Internet Explorer in Windows is like leaving your car parked downtown overnight with the doors unlocked, the windows rolled down and the keys in the ignition, then wondering why your car is gone in the morning.
While it may be inconvenient to install updates and use alternatives to the tightly intertwined (and therefore mutually-vulnerable) Microsoft programs, you might consider why your car has those inconvenient locks and seat belts. Cars once had neither, yet they were installed for a very good reason.
Think of the security of an apartment building or condo. Everyone uses the same key to gain access to the building but is supposed to have a different key for their apartment. But, what if the building supervisor just told you that your key was unique? That would make gaining access for maintenance easier, but your actual security would depend upon the reliability of your neighbours (and their guests).
In the same manner, interoperability between various Windows components and other Microsoft products makes everything function smoother — at least until a problem in one of the other "apartments" spreads.
One well-known example is how the vulnerabilities of Internet Explorer spread to Outlook because components of IE were used to display HTML (or “enhanced” email content). Microsoft “fixed” this by making MS Word responsible for the HTML content.
Easier is Not Necessarily Better
James Gleick illustrates the power of scripts in an article discussing some of the Windows vulnerabilities exploited by the I Love You virus. Social engineering is such that we are more likely to open an email (or click on a advertising link) that either appeals to our need for approval or to our fears.
Dangers of Administrator Privileges
The trade-off is between security and ease of use. While some of this control of functionality is included in Windows XP there are some decisions that have been made that increase overall risk.
Many Windows home computers have only one account, which includes all the administrator privileges (particularly with Windows XP and older versions).
Typically Linux users are much more aware of these dangers and tend to create a separate user account from the administrator account. Even the basic Linux install is more secure.
Vista's User Account Control
Windows Vista users are very familiar with the User Account Control (UAC) which became known for its intrusive nature. Windows 7 is somewhat less intrusive and it is easier to choose a level of security, but you can do so at your own peril (like deciding to buckle up your seat belt after you are in a serious collision).
While Windows is less secure than Linux this allows for easier installs, upgrades and exchange of information although recent versions of Linux provide a much easier interface even for beginners.
Vulnerabilities Are Relative
Beware of comparisons of how many vulnerabilities since one serious system-wide vulnerability can be much more dangerous than dozens of small potential weaknesses.
Always Install Windows Critical Updates
This section discusses some of the areas that you can address to improve the security of your Windows system.
To protect yourself from many of these vulnerabilities make sure you have the latest security patches for Windows and Office products you have installed:
- Windows 7 and Vista users will find Windows Update in the Control Panel (open the Control Panel then select Windows Update).
- Windows XP users can go to Windows Update* for updates to Windows or Microsoft Update* (recommended) for updates to both Windows and Microsoft Office products.
* Internet Explore is required for Windows Update. Windows 7 users will see a note about using the built-in support for Windows Update if they visit Microsoft's update sites.
Weekly Maintenance Routine
Updates should be part of your weekly maintenance routine. You should maintain the updates to Internet Explorer (IE) even if you use another browser since IE is so tightly integrated into the Windows operating system.
As well as updates to Windows, you should be checking your other security software (firewalls, antivirus and anti-spyware software) as well as updates for all the programs on your computer.
Daily Updates a Bare Minimum
You should be updating your security software at least daily — I recommend that you update several times a day. In the case of a serious attack, hourly updates may save your programs and data from ruin.
A 2004 study conducted by Symantec, best know for Norton Antivirus, determined that the time from release of a patch and the release of malicious code to exploit it is was only 5.8 days. At that time, weekly updates were a bare minimum. I assure you that the Internet has only become less friendly since then.
Windows Critical Updates
Windows has a Windows Critical Updates notification/installation utility. Most users should use Automatic Windows Updates.
I'd suggest at least being notified if you are on dialup or on a low-speed connection of any type and install them as soon as you are able. Delays can be costly.
Windows Updates Options
There are three sections that show up in Windows Update:
- Critical Updates and Service Packs
- Windows Updates
- Driver Updates
Always install the Critical Updates and Service Packs when available. These are considered vital to the safety of your Windows system.
The Windows Updates can be chosen to deal with particular issues you may be having. If you have no need for the particular updates, don't install them.
Windows Update has also been replaced with a more comprehensive Microsoft Update which checks for updates to Microsoft Office (more current versions only). As noted above, Windows 7 automatically downloads updates and doesn't use Internet Explorer directly to provide these.
Driver Updates Alternatives
Driver Updates may fix a problem with hardware, but I have had some Microsoft driver updates corrupt Windows installations. You might wish to go to the component manufacturer's site to check for an update. This has been particularly true for some video driver updates but can be fixed with the System Restore feature.
Alternatives to Windows
There are Windows Alternatives
This is partly due to their relative smaller footprint in the computer world and partly due to better design. There has been more vulnerabilities in Apple computers since they've gained in popularity, so you should check for security solutions specific to your operating system to be safe.
There are also lesser-known operating systems that may prove suitable to your needs.
I strongly recommend Ubuntu (or Mint), FREE Linux operating systems that is very easy to install and use, particularly if you don't run sophisticated Windows-based games. It will run faster than Windows on a comparable system and comes pre-installed with most of the software you'll need, including Firefox browser and LibreOffice or Apache OpenOffice, powerful free alternatives to Microsoft Office.
Ubuntu also comes in a version specifically designed for netbooks (those small laptop alternatives). The Netbook Remix is designed for the smaller screens of the newer portable mini-laptops. It has a different installer too, since there is no built-in CD/DVD player in these machines. Unlike Windows 7 basic, it is not a crippled operating system.
While I like and recommend Ubuntu for ease of install and use, there are other distributions (distros/flavours) of Linux you can try. Be aware, however, if you are familiar with Windows and not with Linux, there will be a learning curve.
Easy to Upgrade
Other software is downloaded and installed using an automatic packager. For example, I prefer Thunderbird to the pre-installed Evolution email program, but that is a preference based upon my familiarity with Thunderbird installed on Windows.
Unlike Windows, you can automatically upgrade a current version of Linux to the next version for FREE and, in most cases, without reinstalling everything.
Try It Without Installing It
You can even try Linux without installing it by booting from a "live CD" — which is easy to download as a disk image (ISO) and create a CD/DVD using existing Windows or Linux software. Most features are present, including the ability to surf the web, connect to a wired or wireless network, view or print a document and playing a video.
Easy to Use
Linux is often perceived to be "harder to use" than Windows. This is partly because it requires the use of a password to install and upgrade components (something that Vista and Windows 7 users will be more familiar with).
However, just as with Windows, everything is pretty much as automatic in current versions of Linux. In fact, it would be fairer to compare these older versions of Linux to DOS (a command-line precursor to Windows).
Potential Learning Curve
If you are familiar with Windows and not with Linux, there will be a learning curve. You will also have to abandon most of your Windows software, although free alternative exist for most applications and more sophisticated users can us Windows emulators (e.g. WINE) to run many Windows applications directly in Linux.
Get More Information
Apple's Macintosh (the Mac) has become very popular with people tired of the battle with viruses and other issues with Microsoft Windows products. Apple controls both the hardware and the software production so there are fewer issues with support for obsolete technology and Apple is known for ease-of-use whether it be a desktop, laptop or tablet.
New Computer Required
Because Apple combines hardware with software, you'll need to purchase a new computer to run the Apple operating system unless you are already running an upgradable version of the Mac OS.
Potential Learning Curve
Again, if you are familiar with Windows and not with the Mac, there will be a learning curve. You'll have to purchase new versions of many of your software products or find alternatives. Also, there are Windows emulators which can be used in the Mac environment.
Macs Generally Cost More
Be sure to make a fair comparison. Even the least expensive Mac tends to cost more than Windows-based computers in the same category.
A comparably-priced Windows system would be more realistic or you'll be doing the equivalent of comparing the cheapest BMW to the cheapest Ford. Compare a laptop with similar features or a desktop with similar capabilities.
Get More Information
ActiveX: A Potential Security Risk
Information in this section will inform you about the potential risks of using ActiveX. Microsoft has pursued .NET as an alternative to ActiveX as a result of these issues, but it doesn't hurt to be aware of the risks.
There's nothing wrong with ActiveX as long as you trust completely the guy who wrote it, says research scientist Gary McGraw of Reliable Software Technologies.
But it's like leaving your office to go to lunch and running into some guy who says he'd really like to use your computer for the next hour, and letting him sit and do whatever he likes while you're away. But as far as running trusted code, it's a very powerful and useful technology.
— quoted on CNET News
Recommend Disabling ActiveX
ActiveX is a proprietary alternative to Java designed to enhance the performance of programs and to allow for easier upgrades to the Windows operating system. However, the lack of security allows destructive programs to use this feature to access areas of your computer that they wouldn't otherwise be able to attack.
Java or ActiveX
The main difference between ActiveX and Java are the permissions available to the script.
- ActiveX can essentially access any area of your computer.
- A rogue Java script can do less potential damage than a rogue ActiveX control.
The Java security model is based on a customizable “sandbox” in which Java software programs can run safely, without potential risk to systems or users.
— Java SE Security
That is not to say that Java has no vulnerabilities. Java 7 before Update 12 suffered a major vulnerability that was corrected quickly.
A Historical Look at ActiveX Vulnerabilities
Read more about ActiveX and the dangers it can present. These pages are quite dated, but will help you to understand the issues involved.
- inActiveX: A CNET special report — see the various reports linked in this section, particularly, A question of safety.
- Security Tradeoffs: Java vs. ActiveX
- Load ActiveX Controls on Vista Without Administrator Privileges
- Exploder demonstrated the potential dangers of signed ActiveX controls in Windows 95 systems.
Where You Can Trust ActiveX
Just remember that ActiveX should only be trusted to the extent that you would trust the owner of the site you are visiting. I'd suggest disabling unsigned ActiveX controls and those not marked as safe and be prompted for the rest.
How to Disable ActiveX
To disable ActiveX in Windows XP follow this procedure:
- Open the Control Panel, then click on the Internet Options icon.
- Click on the Security tab.
- Click on the Custom Level button. Change the ActiveX settings to Prompt or to Disable ActiveX controls.
Note: If you completely disable ActiveX you will need to re-enable ActiveX if you want to obtain technical support or upgrades and fixes on Microsoft's site (including Windows Update).
The Prompt option will give you the option to run or not run the controls for any website you enter. This will be less of a bother if you don't use Internet Explorer is your primary browser.
Microsoft's ActiveX Resources
Use Another Browser
I strongly recommend that you use another browser to surf the web (Firefox recommended). Only use Internet Explorer for Windows Update and where absolutely necessary. The IE View Firefox addon allows you to launch the current Firefox page displayed in Internet Explorer (Windows only), allowing you to use Firefox without worrying that you'll come onto a page that requires Internet Explorer (a rare event these days).
More About Related Issues
Protecting Your Online Identity
The following related pages offer more information about protecting your online identity:
- Encryption — Protecting Your Data
- Passwords — Protecting Your Electronic Signature
- Avoiding Spam — Unsolicited Emails and Mailing Lists
- Phishing & Identity Theft — Obtaining Information by Deceit
- Proper Email Address Etiquette — Using To:, CC: & BCC: Correctly
Securing Your Computer
The following related pages offer more information about securing your computer:
- Security Basics — Preventing Unauthorized Access
- Firewalls — Your First Line of Defense
- ZoneAlarm Security — Recommended Firewall Products
- Anti-Virus Protection — Current Alerts, Strategies, Hoaxes & Software
- Your Privacy At Risk — Spyware Detection & Removal
- Encryption — Protecting Your Data
- Passwords — Protecting Your Electronic Signature
- Web Security — Vulnerabilities in Internet Software
These pages give an overview of Windows, its versions history and expected life-cycle as well as concepts and terminology:
- Microsoft Windows — history, versions and life-cycle of support
- Windows Basics — general concepts & terminology
Updated: May 9, 2013