Russ Harvey Consulting - Computer and Internet Services

Windows Security

Vulnerabilities in Windows

Update Windows | Windows Alternatives | ActiveX

All Windows Versions are Vulnerable

Ignore Windows security at your own peril.

Beware of the Human Factor

People are too trusting of any warning that appears on their computer, particularly when visiting websites with their browser.

James Gleick illustrated this human factor in an article discussing some of the Windows vulnerabilities exploited by the I Love You virus. We are more likely to open an email (or click on a advertising link) that appeals to our need for approval or caters to our fears.

Virtually all scanners that suddenly appear on your screen warning about dozens or hundreds of vulnerabilities on your computer are scams.

The exception would be when you visit legitimate sites and run their software (after asking you first). Of course, it is difficult for many to determine what a legitimate site looks like.

No, It's Not Microsoft Phoning You

If you receive a phone call telling you that your computer is at risk, hang up.

They are NOT Microsoft (or anyone legitimate) NOR are they trying to help you. Their goal? To get you to:

  • divulge information about your computer;
  • open an exploitive website using your browser; or
  • provide your credit card information for the "help" you're given.

Your best solution is to simply hang up.

Educate Yourself About the Risks

My Recommended Windows Software lists software I recommend for my clients. Peruse the Computer & Internet Security pages to learn how to protect yourself and your family while online.

Guard Physical Access to Your Computer

Anyone with physical access to your computer can make changes to Windows or visit areas on the Web that pose a risk to your computer. That physical access can be through malicious software on a removable storage device.

Computer systems have been exploited by mailing CDs or leaving USB thumb drives in a company parking lot. Someone is going to plug them into their computer and release whatever troublesome gremlins are installed!

Windows "Ease-of-Use" is a Trade-off

Windows was built to be easy to use, with security apparently a casual afterthought — at least in versions earlier than Vista. The trade-off is between security and ease of use.

Two Analogies: Apartments and Vehicles

Consider the following analogies when deciding that "easier is better" in your computing experience:

Using Internet Explorer in Windows is like leaving your car parked downtown overnight with the doors unlocked, the windows rolled down and the keys in the ignition, then wondering why your car is gone in the morning.

Installing updates and alternatives to programs built into Windows is inconvenient, but consider why your car has those inconvenient locks and seat belts. Cars once had neither, yet they are now installed — for a very good reason.

The front door key to an apartment building is the same for everyone. What if the building supervisor provided the same key for every apartment and allowed you to think that your apartment key was unique? Access for maintenance would be easier, but your unit's physical security would be severely compromised.

Microsoft Interoperability

Similarly, various Windows components and Microsoft Office products are highly integrated, making everything function smoothly. Because of that interoperability, weaknesses in one program (or component) can quickly spread to others.

For example, vulnerabilities in Internet Explorer spread to Outlook because components of IE were used to display the HTML (or “enhanced”) email content. Microsoft “fixed” this by making MS Word responsible for the HTML content.

I've recommended email programs and web browsers that don't integrate with Windows to prevent that sort of weakness.

The Dangers of Administrator Privileges

Most Windows computers only have one account that runs with full administrator privileges.

However, most Linux users are much more aware of these dangers and tend to create a separate user account from the administrator account. Changes to the system require the administrator's password, even in the basic Linux install.

Vista's User Account Control

Windows Vista users are very familiar with the User Account Control (UAC) which became known for its intrusive nature. Windows 7 is somewhat less intrusive and allowed the user to choose a lesser level of security, leaving you more vulnerable. Degrading the security level is riskier, like deciding to buckle up your seat belt after you are in a serious car collision.

While Windows is less secure than Linux this allows for easier installs, upgrades and exchange of information although recent versions of Linux provide a much easier interface even for beginners.

Vulnerabilities Are Relative

In addition to Windows, Linux and Mac also have vulnerabilities, as do browsers, email and other programs.

Beware of comparisons of how many vulnerabilities rather than the severity of the security breach. One serious system-wide vulnerability can be much more dangerous than dozens of small potential weaknesses.

Always Install Windows Critical Updates

This section discusses some of the areas that you can address to improve the security of your Windows system.

To protect yourself from many of these vulnerabilities make sure you have the latest security patches for Windows and Office products you have installed:

  • Windows 7 and Vista users will find Windows Update in the Control Panel (open the Control Panel then select Windows Update).

* Internet Explore is required for Windows Update. Windows 7 users will see a note about using the built-in support for Windows Update if they visit Microsoft's update sites.

Is Your System Mission Critical?

Microsoft tends to run all their updates once a month on “patch Tuesday.” The downside to this is that some updates in large batches can create problems (thankfully, relatively rare).

For this reason, some administrators of “mission critical” systems wait to find out if there are problems with patches before updating. This is not recommended for home users because downtime due to such problems are an inconvenience, not something that will put lives or critical systems in jeopardy.

Weekly Maintenance Routine

Updates should be part of your weekly maintenance routine. You should maintain the updates to Internet Explorer (IE) even if you use another browser since IE is so tightly integrated into the Windows operating system.

As well as updates to Windows, you should be checking your other security software (firewalls, antivirus and anti-spyware software) as well as updates for all the programs on your computer.

Daily Security Updates a Bare Minimum

You should be updating your security software at least daily — I recommend that you update several times a day. In the case of a serious attack, hourly updates may save your programs and data from ruin.

A 2004 study conducted by Symantec, best know for Norton Antivirus, determined that the time from release of a patch and the release of malicious code to exploit it is was only 5.8 days. At that time, weekly updates were a bare minimum. I assure you that the Internet has only become less friendly since then.

Windows Critical Updates

Windows has a Windows Critical Updates notification/installation utility. Most users should use Automatic Windows Updates.

I'd suggest at least being notified if you are on a low-speed connection of any type and install them as soon as you are able. Delays can be costly.

Windows Updates Options

Windows Updates are classified as Important updates and Recommended updates.

Always install the Critical Updates and Service Packs when available. These are considered vital to the safety of your Windows system.

Recommended Windows Updates may deal with specific issues some users are having. If you have no need for the particular updates, don't install them.

Windows Update can also check for updates to Microsoft Office (more current versions only). Windows 7 and later automatically downloads updates and doesn't use Internet Explorer directly to provide these.

Driver Updates Alternatives

Driver Updates may fix a problem with hardware, but I have experienced some Microsoft driver updates corrupting my Windows installations. You might wish to go to the component manufacturer's site to check for an update, particularly for video driver updates. System Restore provides a recovery solution if such a problem arises.

Return to top

There are Windows Alternatives

Other operating systems such as Linux and Apple's Macintosh offer fewer problems when it comes to virus propagation and other security issues.

This is partly due to their relative smaller footprint in the computer world and partly due to better design. There has been more vulnerabilities in Apple computers since they've gained in popularity, so you should check for security solutions specific to your operating system to be safe.

There are also lesser-known operating systems that may prove suitable to your needs.

Vulnerabilities Still Exist

All software (including operating systems) have vulnerabilities. Even if you move to an alternate to Windows you'll have to update and monitor vulnerabilities.

Moving from Windows also means you'll experience a learning curve, but perhaps that is an acceptable cost.

Return to top

ActiveX: A Potential Security Risk

There's nothing wrong with ActiveX as long as you trust completely the guy who wrote it, says research scientist Gary McGraw of Reliable Software Technologies.

But it's like leaving your office to go to lunch and running into some guy who says he'd really like to use your computer for the next hour, and letting him sit and do whatever he likes while you're away. But as far as running trusted code, it's a very powerful and useful technology.
— quoted on CNET News

Should I Install ActiveX Controls?

Maybe. You should be cautious about installing ActiveX controls, sometimes called addons, on your computer, even if they have a valid digital signature. While ActiveX controls can enhance web browsing, they might also pose a security risk, and it's best to avoid using them if the webpage will work without them. However, some websites or tasks might require them, and if the content or task is important to you, you will have to decide whether to install the ActiveX control.
Microsoft

Microsoft suggests that before installing an ActiveX control, you should consider the following:

  • Were you expecting to receive this control?
  • Do you trust the website providing the control?
  • Do you know what the control is for and what it will do to your computer?

See the following Microsoft resources for more about ActiveX:

Java is Safer

Underlying the Java SE Platform is a dynamic, extensible security architecture, standards-based and interoperable. Security features — cryptography, authentication and authorization, public key infrastructure, and more — are built in. The Java security model is based on a customizable 'sandbox' in which Java software programs can run safely, without potential risk to systems or users.
Java SE Security

That is not to say that Java has no vulnerabilities. Java is one of the three most common vulnerabilities (the other two being Adobe Flash and Adobe Reader) which is why Firefox disables Java by default (recommended).

Always remove older versions of Java so that you're not exposing your computer to vulnerabilities that have been patched with more recent updates.

Restrict the Use of Internet Explorer

I strongly recommend that you DON'T use Internet Explorer to surf the Web. It is rarely required elsewhere (a couple of exceptions are Microsoft FixIt solutions and some Symantec utilities).

Firefox Recommended

Instead, I recommend Firefox as your primary browser.

The Firefox add-on IE View allows you to launch the current Firefox page in Internet Explorer (Windows only), allowing you to use Firefox without worrying that you'll come onto a page that requires Internet Explorer.

Return to top

www.RussHarvey.bc.ca/resources/windowssecurity.html
Updated: September 4, 2014

Vulnerabilities in Windows.

Update Windows

Updates & Service Packs

You should be running Windows Update automatically (unless your computer is mission critical) and have the most recent Service Pack (SP) installed for your version of Windows.

Discontinue Using Older Windows

When support is discontinued for a version of Windows, it means that Microsoft will no longer provide support or security updates, leaving your computer vulnerable.

Support for Windows XP expired on April 8, 2014 and you should no longer be running XP.

  • If you are running Windows XP, upgrade immediately.
  • If a hardware upgrade is needed, you'd best consider a new computer.
  • If your computer hardware will not support Windows 7 or 8.1 and you can't purchase a new computer, you'll want to look at installing another operating system like Linux, a FREE operating system that is very easy to install and use.

This site has information about Windows Life-cycle of Support on the Microsoft Windows page.

Windows Updates

While it is possible to continue to download updates or check for them manually, there is no reason to do so in these days of always-connected computers.

Automatic Windows Updates ensure that you get timely updates. Many vulnerabilities are used by unscrupulous folks even if the vulnerability is not announced when a patch (update) is released.

Personal Choices are Important

There are a multitude of choices that you make (or can make) that will affect how secure your computer is.

You should be concerned about your privacy as well as the safety of your children while on-line.

You will find Bruce Schneier's discussion about Safe Personal Computing informative.

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top


If these pages helped you,
buy me a coffee!