Russ Harvey Consulting - Computer and Internet Services

Windows Security

Vulnerabilities in Windows

Fake Warnings | Windows Alternatives
Keep Windows Updated

A short chain with an open link representing how weaknesses in Windows can affect the vulnerability of other Windows software.

All Windows Versions are Vulnerable

Like the obsolete skeleton key, the security in Windows appears to protect you, but it cannot deal with a determined attack without some external help.

Windows was designed for ease-of-use rather than security which is why third-party security (anti-virus) software has been essential for Windows computers long before other operating systems.

ALL versions of Microsoft Windows are vulnerable but especially those that are no longer supported by Microsoft because they no longer receive security updates.

Legacy Windows More Vulnerable

The zero-day exploits that have already been patched in currently-supported versions of Windows make legacy (unsupported) Windows versions even more vulnerable.

While newly-discovered exploits are patched in current Windows versions, unsupported Windows versions don't receive security updates and therefore remain vulnerable even to known weaknesses.

Windows "Ease-of-Use" is a Trade-off

Windows was built to be easy to use, apparently with security a casual afterthought — at least in versions earlier than Vista. The trade-off is between security and ease of use.

Consider the following analogies when deciding that "easier is better" in your computing experience:

A Vehicle Analogy

For years people insisted on using Internet Explorer as their primary browser even though it was known to be far more insecure than most.

Using Internet Explorer in Windows was like leaving your car parked downtown overnight with the doors unlocked, the windows rolled down and the keys in the ignition, then wondering why your car is gone in the morning.

Installing updates and alternatives to programs built into Windows is inconvenient, but consider why your car has those inconvenient locks, airbags and seat belts. Cars once came without all these, yet they are now universally installed — for a very good reason.

Fortunately, Internet Explorer is now mostly gone.

An Apartment Analogy

The front door key to an apartment building is the same for everyone.

What if the building supervisor also provided the same key for every apartment and allowed you to think that your apartment key was unique?

Access for maintenance would be easier, but your unit's physical security would be severely compromised.

Windows Highly Integrated

Similarly, various Windows components and Microsoft Office products are highly integrated, making everything function smoothly. Because of that interoperability, weaknesses in one program (or component) can quickly spread to others.

For example, vulnerabilities in Internet Explorer spread to Outlook because components of IE were used to display the HTML (or “enhanced”) email content. Microsoft “fixed” this by making MS Word (which is also vulnerable) responsible for the HTML content.

I recommend using an email program and web browser that isn't tightly integrated with other Windows components to prevent transferring that weaknesses.

The Dangers of Administrator Privileges

Most Windows computers only have one account which runs with full administrator privileges. Lesser accounts are available, but are difficult for most users to manage.

At the very least, you should provide only limited access accounts for your children and ensure that the Administrator accounts are protected by decent passwords.

Linux Security is Better

Most Linux users are much more aware of these dangers and tend to create a separate user account from the administrator account. More recent versions of Linux provide a much easier interface, even for beginners, but the requirement for the administrator password helps to secure the system.

Changes to the system such as installing or updating software require the administrator's password, even in the basic Linux install.

While Windows is less secure than Linux, this allows for easier installs, upgrades and exchange of information.

User Account Control

With the release of Windows Vista, Microsoft added the User Account Control (UAC). Unfortunately, it became known for its intrusive nature.

UAC in Windows 7 was somewhat less intrusive but allowed the user to choose a lesser level of security. Reducing your security level leaves you more vulnerable because this is like deciding to buckle up your seat belt after you are in a serious car collision.

Vulnerabilities Are Relative

In addition to Windows, Linux and Mac also have vulnerabilities, as do browsers, email and other programs.

Be wary of comparisons of how many vulnerabilities rather than the severity of the security breach. One serious system-wide vulnerability can be much more dangerous than dozens of small potential weaknesses.

Return to top

Fake Warnings & Malicious Software

You cannot trust everything warning or error message that pops up on your screen. Malicious software and fake warnings are commonly used to get around Windows protections.

Stop. Think. Connect.

Before you click on a link or download software from a source other than the vendor, Stop and think before you connect.

Learn how your security software responds to threats so you can identify fake threats.

Beware of the Human Factor

People are too trusting. Social engineering and is used to get you to click on unsafe links in emails and social media.

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information.

 

A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests."
Wikipedia

Exploiting Our Fears

The “I Love You” virus illustrated this human factor by exploiting the human need for approval.

We are more likely to open an email (or click on a advertising link) that appeals to our need for approval or caters to our fears.

This is a significant factor in the use of “personalized ads” (advertising that uses information gathered to improve the success of targeted ads based upon metadata.

Obfuscated Links

Facebook shares responsibility in the matter because they have allowed ads that employ the “fear of missing out” combined with innate human curiosity to exploit users via obfuscated links in ads and posts that promote fake news.

An obfuscated URL is a URL that has been modified to conceal the legitimate location of a web-based resource, such as a website or server.
F-Secure

By obfuscating the link, users cannot determine the true destination of the link before clicking on it. This is a technique commonly used by spammers and phishing emails.

We should be able to expect better from a social media giant like Facebook.

Fake Windows Update

Some malware is designed to look like Windows Update or Microsoft installer.

Security researchers have dissected a recently emerged ransomware strain named 'Big Head' that may be spreading through malvertising that promotes fake Windows updates and Microsoft Word installers.

 

During the encryption, the ransomware displays a screen that purports to be a legitimate Windows update.
BleepingComputer

Fake Virus Warnings

Virtually all notices that suddenly appear on your screen warning about dozens or hundreds of infections on your computer are probably scamming you into downloading a genuine infection or selling you a bogus service.

Never call a phone number listed in “an error message.” Microsoft doesn't include phone numbers in its legitimate error messages.

All such warnings are fraudulent. There is no way for websites to detect viruses on your computer. That is the purpose of your security software.

Virtually all popup warnings that won't go away or warnings about dozens or hundreds of vulnerabilities on your computer are scams. It is difficult for many users to determine what a “legitimate” site looks like.

Learn how your security software reacts to a genuine threat. Anything else is a spoof (threat) rather than a warning about any real danger.

No, It's Not Microsoft Phoning You

If you receive a phone call telling you that your computer is at risk, hang up.

They are NOT Microsoft (or anyone legitimate). They want:

  • information about your computer and online accounts;
  • remote access to your computer for malicious purposes; and
  • your credit card information.

Their goal is to scam you. Simply hang up.

Educate Yourself About the Risks

Recommended Windows Software lists software I recommend to my clients.

Review the Computer & Internet Security pages to learn how to protect yourself and your family while online.

Guard Physical Access to Your Computer

Anyone with physical access to your computer can make changes to Windows or visit areas on the Web that pose a risk to your computer.

In addition, malicious access to your computer can be achieved by plugging in an insecure removable storage devices (e.g., a thumbdrive) containing malicious software.

Computer systems have been exploited by mailing CDs or leaving USB thumb drives in a company parking lot. Someone is going to plug them into their computer and release whatever troublesome gremlins they contain.

If you provide someone with remote access to your computer (usually by calling a phone number on a fake error message or via a phishing email) but can also be an unexpected “computer support” phone call.

I don't use remote access to service client computers and disable remote access by default to prevent this sort of fraud.

Be sure to take care when choosing the people you allow to work on your computer. Do NOT allow your children (or their friends) unsupervised access to your computer.

I strongly recommend a written security policy for your family and/or your employees so that everyone is clear who has permission to do what on your computers and network.

Always Install Windows Critical Updates

Windows Update improves the security of your Windows system. To protect yourself from many of these vulnerabilities make sure you have the latest security patches for Windows and Office products you have installed.

Microsoft Trickery

Unfortunately, Microsoft used the Windows Update as a means to move unsuspecting Windows 7 and 8 users into Windows 10 (and later Windows 10 users to Windows 11).

Sometimes a small portion of the screen has options before Windows fully loads, which makes it difficult to understand the options. This is either poor programming or, more likely, an attempt to trick users into actions they don't understand.

Many then turned off Windows Update completely, leaving themselves vulnerable to zero-day vulnerabilities that have been patched.

Using a version of Windows that is no longer supported?
You need to take it offline to be able to use it safely.

Restore Windows Update

If you turned off Windows Update because of underhanded Microsoft trickery, that threat is no longer present and you should restore the default settings to update automatically.

Microsoft has no one but themselves to blame for the folks that abandoned Windows and moved to either mobile devices or computers running Linux and macOS.

Still, if you wish to remain in the Windows environment, a currently supported Windows version is your only option.

Uninstall Unused or Unsupported Software

Uninstall unused or obsolete (unsupported) software. This removes potential vulnerabilities.

One of the disturbing issues in Windows is that some of the embedded software creates its own entry points for problems. Internet Explorer is the most visible example, retained in Windows 10 to view legacy websites which should have been upgraded or abandoned.

Is Your Computer Mission Critical?

Microsoft tends to run all their updates once a month on “patch Tuesday.” The downside to this is that some updates in large batches can create problems (thankfully, relatively rare but not unknown).

For this reason, some administrators of “mission critical” systems wait to find out if there are problems with patches before updating.

This is not recommended for home users because downtime due to such problems are an inconvenience, not something that will put lives or critical systems in jeopardy.

Weekly Maintenance Routine

Updates should be part of your weekly maintenance routine.

As well as updates to Windows, you should be checking for updates to all the programs on your computer — especially your security software.

Updating Your Security Software

Your security software should be downloading and installing updates to the virus signatures automatically and at least daily.

A 2004 study conducted by Symantec determined that the time from release of a patch and the release of malicious code designed to exploit it is was only 5.8 days. At that time, weekly updates were a bare minimum. I assure you that the Internet has only become less friendly since then.

Windows Critical Updates

Windows has a Windows Critical Updates notification/installation utility. Most users should use Automatic Windows Updates.

I'd suggest at least being notified and install them as soon as you are able. Delays can be costly.

Windows Updates Options

Windows Updates are classified as Important updates and Recommended updates.

Always install the Critical Updates and Service Packs when available. These are considered vital to the safety of your Windows system.

Recommended Windows Updates may deal with specific issues some users are having. If you have no need for optional updates, don't install them.

Windows Update can also check for updates to Microsoft Office, other Windows components and hardware.

Driver Updates Alternatives

Driver Updates may fix a problem with hardware, but I have experienced some Microsoft driver updates corrupting my Windows installations. System Restore provides a recovery solution if such a problem arises.

You might wish to go to the component manufacturer's site to check for an update, particularly for video driver updates.

However, avoid third-party driver update software that are not authorized by the vendor. Many of these sites accept uploads from unknown users that may include beta or even unauthorized drivers which could cripple your computer.

Return to top

Windows Alternatives

Other operating systems such as Linux and Apple's macOS offer fewer problems when it comes to virus propagation and other security issues.

This is partly due to their relative smaller footprint in the computer world and partly due to better design.

That doesn't mean that security software and precautions are unnecessary.

Since macOS and iOS have increased in popularity, Apple computers have received more attention from hackers and malicious software. It is strongly recommended that you install and maintain security solutions specific to your operating system to remain safe.

There are also lesser-known operating systems that may prove useful to your needs. Generally, these are not suitable for folks that are technically less advanced.

Vulnerabilities Still Exist

ALL software (including operating systems) have vulnerabilities. Even if you move to an alternate to Windows you'll have to update and monitor vulnerabilities.

Moving from Windows also means you'll experience a learning curve, but perhaps that is an acceptable cost. The main deterrent for most folks is either gaming software or expensive software licensed only for Windows.

Return to top

 

Keep Windows Updated

Updates & Service Packs

You should be running Windows Update automatically (unless your computer is mission critical) and have the most recent Service Pack (SP) installed for your version of Windows.

Discontinue Using Unsupported Windows Versions

When support is discontinued for a specific version of Windows, it means that Microsoft will no longer provide support or security updates, leaving your computer vulnerable.

Legacy (unsupported) Windows versions should no longer be run and you need to check out your alternatives.

If you need to run legacy (unsupported) versions of Windows, be sure to take them offline.

Learn more about the Windows support lifecycle.

Windows Updates

While it is possible to continue to download updates or check for them manually, there is no reason to do so in these days of always-connected computers.

Automatic Windows Updates ensure that you get timely updates. Many vulnerabilities are used by unscrupulous folks even if the vulnerability is not announced when a patch (update) is released.

Personal Choices are Important

There are a multitude of choices that you make (or can make) that will affect how secure your computer is.

You should be concerned about your privacy as well as the safety of your children while on-line.

You will find Bruce Schneier's discussion about Safe Personal Computing informative even though it is quite dated.

Related Resources

On this site:

Found this resource useful?
Buy Me A Coffee

 

Return to top
RussHarvey.bc.ca/resources/windowssecurity.html
Updated: December 19, 2023