Windows Security

Vulnerabilities in Windows

Windows Updates/Service Packs | Alternatives to Windows | ActiveX
More About Security Issues

Vulnerabilities in Windows.

This Affects All Windows Users

While the information on this page may not be light reading, you ignore it at your own peril.

Windows 7 is more secure and runs well on the more recent computers designed for Windows XP and Vista.

Windows Updates & Service Packs

Install Windows Updates & Service Packs

Support Discontinued for Older Windows

When support is discontinued for a version of Windows, it means that Microsoft will no longer provide support or security updates, leaving your computer more vulnerable than a currently supported version of Windows with the recommended security updates and service packs (SP) installed.

There are two types of support:

Microsoft has discontinued support for the following versions of Windows:

Support Expiration for Current Windows

See the Windows Life-cycle of Support section on the Microsoft Windows page for current information about support for various version of Windows and for explanations of the terms used.

Ensure Your Windows is Current

The fact that most security software requires a minimum of Windows XP with Service Pack 3 (or Vista SP2) should tell you about the risks of earlier versions as well as unpatched systems:

Install and Run Automatic Windows Updates

While it is possible to continue to download updates or check for them manually, there is no reason to do so in these days of always-connected computers. Automatic Windows Updates ensure that you get timely updates. Many vulnerabilities are used by unscrupulous folks even if the vulnerability is not announced when a patch (update) is released.

Personal Choices are Important

There are a multitude of choices that you make (or can make) that will affect how secure your computer is. These can affect your privacy and the safety of your children while on-line.

You will find Bruce Schneier's discussion about Safe Personal Computing informative.

Beware of the Human Factor

People are too trusting of any warning that appears on their computer, particularly when visiting web sites with their browser.

Virtually all scanners that suddenly appear on your screen warning about dozens or hundreds of vulnerabilities on your computer are scams.

The exception would be when you visit legitimate sites and run their software (after asking you first). Of course, it is difficult for many to determine what a legitimate site looks like.

It's Not Microsoft Phoning You

If you receive a phone call telling you that your computer is at risk, hang up.

No matter who they say they are, they aren't there to help you. The intent is to get you to

  • divulge information about your computer;
  • open an exploitive website using your browser; or
  • provide your credit card information for the "help" you're given.

Your best solution is to simply hang up.

Educate Yourself About the Risks

Check my Recommended Windows Software for some suggestions. Reading through my Self-Help Resources pages should help to educate you about many of the factors in learning to protect yourself while online.

Guard Physical Access to Your Computer

Don't forget that anyone with physical access to your computer can make changes to Windows or visit areas on the Web that pose a risk to your computer.

This includes using CDs, DVDs and other devices like USB thumb drives with unknown content. Some computer systems have been exploited by mailing CDs or leaving USB devices in a company parking lot. Someone is going to plug them into their computer and release whatever troublesome gremlins are installed on those devices!

Be Aware of the Trade-offs of "Ease-of-Use" with Windows

Two Analogies

Windows was built to be easy to use, with security apparently a casual afterthought — at least in versions earlier than Vista.

Consider the following analogies when deciding that "easier is better" in your computing experience:

Using Internet Explorer in Windows is like leaving your car parked downtown overnight with the doors unlocked, the windows rolled down and the keys in the ignition, then wondering why your car is gone in the morning.

While it may be inconvenient to install updates and use alternatives to the tightly intertwined (and therefore mutually-vulnerable) Microsoft programs, you might consider why your car has those inconvenient locks and seat belts. Cars once had neither, yet they were installed for a very good reason.

Think of the security of an apartment building or condo. Everyone uses the same key to gain access to the building but is supposed to have a different key for their apartment. But, what if the building supervisor just told you that your key was unique? That would make gaining access for maintenance easier, but your actual security would depend upon the reliability of your neighbours (and their guests).

In the same manner, interoperability between various Windows components and other Microsoft products makes everything function smoother — at least until a problem in one of the other "apartments" spreads.

One well-known example is how the vulnerabilities of Internet Explorer spread to Outlook because components of IE were used to display HTML (or “enhanced” email content). Microsoft “fixed” this by making MS Word responsible for the HTML content.

Easier is Not Necessarily Better

James Gleick illustrates the power of scripts in an article discussing some of the Windows vulnerabilities exploited by the I Love You virus. Social engineering is such that we are more likely to open an email (or click on a advertising link) that either appeals to our need for approval or to our fears.

Dangers of Administrator Privileges

The trade-off is between security and ease of use. While some of this control of functionality is included in Windows XP there are some decisions that have been made that increase overall risk.

Many Windows home computers have only one account, which includes all the administrator privileges (particularly with Windows XP and older versions).

Typically Linux users are much more aware of these dangers and tend to create a separate user account from the administrator account. Even the basic Linux install is more secure.

Vista's User Account Control

Windows Vista users are very familiar with the User Account Control (UAC) which became known for its intrusive nature. Windows 7 is somewhat less intrusive and it is easier to choose a level of security, but you can do so at your own peril (like deciding to buckle up your seat belt after you are in a serious collision).

While Windows is less secure than Linux this allows for easier installs, upgrades and exchange of information although recent versions of Linux provide a much easier interface even for beginners.

Vulnerabilities Are Relative

In addition to Windows, Linux and Mac also have vulnerabilities, as do browsers, email and other programs.

Beware of comparisons of how many vulnerabilities since one serious system-wide vulnerability can be much more dangerous than dozens of small potential weaknesses.

Always Install Windows Critical Updates

This section discusses some of the areas that you can address to improve the security of your Windows system.

To protect yourself from many of these vulnerabilities make sure you have the latest security patches for Windows and Office products you have installed:

* Internet Explore is required for Windows Update. Windows 7 users will see a note about using the built-in support for Windows Update if they visit Microsoft's update sites.

Weekly Maintenance Routine

Updates should be part of your weekly maintenance routine. You should maintain the updates to Internet Explorer (IE) even if you use another browser since IE is so tightly integrated into the Windows operating system.

As well as updates to Windows, you should be checking your other security software (firewalls, antivirus and anti-spyware software) as well as updates for all the programs on your computer.

Daily Updates a Bare Minimum

You should be updating your security software at least daily — I recommend that you update several times a day. In the case of a serious attack, hourly updates may save your programs and data from ruin.

A 2004 study conducted by Symantec, best know for Norton Antivirus, determined that the time from release of a patch and the release of malicious code to exploit it is was only 5.8 days. At that time, weekly updates were a bare minimum. I assure you that the Internet has only become less friendly since then.

Windows Critical Updates

Windows has a Windows Critical Updates notification/installation utility. Most users should use Automatic Windows Updates.

I'd suggest at least being notified if you are on dialup or on a low-speed connection of any type and install them as soon as you are able. Delays can be costly.

Windows Updates Options

There are three sections that show up in Windows Update:

Always install the Critical Updates and Service Packs when available. These are considered vital to the safety of your Windows system.

The Windows Updates can be chosen to deal with particular issues you may be having. If you have no need for the particular updates, don't install them.

Windows Update has also been replaced with a more comprehensive Microsoft Update which checks for updates to Microsoft Office (more current versions only). As noted above, Windows 7 automatically downloads updates and doesn't use Internet Explorer directly to provide these.

Driver Updates Alternatives

Driver Updates may fix a problem with hardware, but I have had some Microsoft driver updates corrupt Windows installations. You might wish to go to the component manufacturer's site to check for an update. This has been particularly true for some video driver updates but can be fixed with the System Restore feature.

Return to top

Alternatives to Windows

There are Windows Alternatives

Other operating systems such as Linux and Apple's Macintosh offer fewer problems when it comes to virus propagation and other security issues.

This is partly due to their relative smaller footprint in the computer world and partly due to better design. There has been more vulnerabilities in Apple computers since they've gained in popularity, so you should check for security solutions specific to your operating system to be safe.

There are also lesser-known operating systems that may prove suitable to your needs.

Linux Distributions

Ubuntu Recommended

I strongly recommend Ubuntu (or Mint), FREE Linux operating systems that is very easy to install and use, particularly if you don't run sophisticated Windows-based games. It will run faster than Windows on a comparable system and comes pre-installed with most of the software you'll need, including Firefox browser and LibreOffice or Apache OpenOffice, powerful free alternatives to Microsoft Office.

Netbook Remix

Ubuntu also comes in a version specifically designed for netbooks (those small laptop alternatives). The Netbook Remix is designed for the smaller screens of the newer portable mini-laptops. It has a different installer too, since there is no built-in CD/DVD player in these machines. Unlike Windows 7 basic, it is not a crippled operating system.

Many Flavours

While I like and recommend Ubuntu for ease of install and use, there are other distributions (distros/flavours) of Linux you can try. Be aware, however, if you are familiar with Windows and not with Linux, there will be a learning curve.

Easy to Upgrade

Other software is downloaded and installed using an automatic packager. For example, I prefer Thunderbird to the pre-installed Evolution email program, but that is a preference based upon my familiarity with Thunderbird installed on Windows.

Unlike Windows, you can automatically upgrade a current version of Linux to the next version for FREE and, in most cases, without reinstalling everything.

Try It Without Installing It

You can even try Linux without installing it by booting from a "live CD" — which is easy to download as a disk image (ISO) and create a CD/DVD using existing Windows or Linux software. Most features are present, including the ability to surf the web, connect to a wired or wireless network, view or print a document and playing a video.

Easy to Use

Linux is often perceived to be "harder to use" than Windows. This is partly because it requires the use of a password to install and upgrade components (something that Vista and Windows 7 users will be more familiar with).

However, just as with Windows, everything is pretty much as automatic in current versions of Linux. In fact, it would be fairer to compare these older versions of Linux to DOS (a command-line precursor to Windows).

Potential Learning Curve

If you are familiar with Windows and not with Linux, there will be a learning curve. You will also have to abandon most of your Windows software, although free alternative exist for most applications and more sophisticated users can us Windows emulators (e.g. WINE) to run many Windows applications directly in Linux.

Get More Information

Get more information about the various distributions of Linux.

The Mac

Apple's Macintosh (the Mac) has become very popular with people tired of the battle with viruses and other issues with Microsoft Windows products. Apple controls both the hardware and the software production so there are fewer issues with support for obsolete technology and Apple is known for ease-of-use whether it be a desktop, laptop or tablet.

New Computer Required

Because Apple combines hardware with software, you'll need to purchase a new computer to run the Apple operating system unless you are already running an upgradable version of the Mac OS.

Potential Learning Curve

Again, if you are familiar with Windows and not with the Mac, there will be a learning curve. You'll have to purchase new versions of many of your software products or find alternatives. Also, there are Windows emulators which can be used in the Mac environment.

Macs Generally Cost More

Be sure to make a fair comparison. Even the least expensive Mac tends to cost more than Windows-based computers in the same category.

A comparably-priced Windows system would be more realistic or you'll be doing the equivalent of comparing the cheapest BMW to the cheapest Ford. Compare a laptop with similar features or a desktop with similar capabilities.

Get More Information

Get more information about Apple Macintosh.

Return to top

ActiveX: A Potential Security Risk

Information in this section will inform you about the potential risks of using ActiveX. Microsoft has pursued .NET as an alternative to ActiveX as a result of these issues, but it doesn't hurt to be aware of the risks.

 

There's nothing wrong with ActiveX as long as you trust completely the guy who wrote it, says research scientist Gary McGraw of Reliable Software Technologies.
 

But it's like leaving your office to go to lunch and running into some guy who says he'd really like to use your computer for the next hour, and letting him sit and do whatever he likes while you're away. But as far as running trusted code, it's a very powerful and useful technology.
— quoted on CNET News

Recommend Disabling ActiveX

ActiveX is a proprietary alternative to Java designed to enhance the performance of programs and to allow for easier upgrades to the Windows operating system. However, the lack of security allows destructive programs to use this feature to access areas of your computer that they wouldn't otherwise be able to attack.

Java or ActiveX

Java Safer

The main difference between ActiveX and Java are the permissions available to the script.

The Java security model is based on a customizable “sandbox” in which Java software programs can run safely, without potential risk to systems or users.
Java SE Security

That is not to say that Java has no vulnerabilities. Java 7 before Update 12 suffered a major vulnerability that was corrected quickly.

A Historical Look at ActiveX Vulnerabilities

Read more about ActiveX and the dangers it can present. These pages are quite dated, but will help you to understand the issues involved.

Where You Can Trust ActiveX

Just remember that ActiveX should only be trusted to the extent that you would trust the owner of the site you are visiting. I'd suggest disabling unsigned ActiveX controls and those not marked as safe and be prompted for the rest.

How to Disable ActiveX

To disable ActiveX in Windows XP follow this procedure:

Note: If you completely disable ActiveX you will need to re-enable ActiveX if you want to obtain technical support or upgrades and fixes on Microsoft's site (including Windows Update).

The Prompt option will give you the option to run or not run the controls for any website you enter. This will be less of a bother if you don't use Internet Explorer is your primary browser.

Microsoft's ActiveX Resources

Use Another Browser

Firefox Recommended

I strongly recommend that you use another browser to surf the web (Firefox recommended). Only use Internet Explorer for Windows Update and where absolutely necessary. The IE View Firefox addon allows you to launch the current Firefox page displayed in Internet Explorer (Windows only), allowing you to use Firefox without worrying that you'll come onto a page that requires Internet Explorer (a rare event these days).

Return to top

More About Related Issues

Protecting Your Online Identity

The following related pages offer more information about protecting your online identity:

Securing Your Computer

The following related pages offer more information about securing your computer:

Windows Basics

These pages give an overview of Windows, its versions history and expected life-cycle as well as concepts and terminology:

Return to top

www.RussHarvey.bc.ca/resources/windowssecurity.html
Updated: May 9, 2013