If your PC picks up a virus, whose fault is it?
Summary: Want to avoid being attacked by viruses and other malware? Two recent studies reveal the secret: regular patching. A fully patched system with a firewall enabled offers almost complete protection against drive-by attacks and outside intruders.
Want to stay safe online? Update your software. All of it.
Two recent studies add tremendous evidence to support the notion that regular patching is the single most important element in any security program. In fact, a fully patched system with a firewall enabled offers almost complete protection against viruses, worms, and other malicious software being installed without user interaction.
First up is an exhaustive two-year study that was completed last year but only recently published. The study's results were presented by independent security researcher Craig S Wright at the Computer Audit Control Security conference in Australia last month.( A copy of the full report is available in the SANS Reading Room.)
The test involved more than 640 hosts running Windows XP Professional with no third-party applications and with auto-updating disabled. With the Windows firewall turned off, the mean time before a host was compromised was just over 18 hours, with the Conficker worm doing more than its fair share of damage.
Also read:
- Trojans, viruses, worms: How does malware get on PCs and Macs?
- Why malware networks are beating antivirus software
- Stay safe online: 5 secrets every PC (and Mac) owner should know
But once a firewall was turned on—the default configuration for every Windows system shipped in the past seven years—the numbers changed dramatically:
With the firewall enabled, the mean survival time of the Windows XP SP2 systems increased to 336 days. No system with this control enabled was compromised in less than 108 days.
And even that vastly improved number overestimates the extent of the problem. Remember, these sample PCs had auto-updating disabled. So how were outside attackers able to break in?
In the results of the 640 hosts that were used for this experiment, no system was compromised with a zero-day attack. Many new and novel attacks against known vulnerabilities did occur, but not a single compromise was due to an unreported vulnerability. Further, no attack without a patch was used to compromise any of the systems. This means that if the systems had been patched, none of the attacks would have succeeded.
That study covered Windows XP, but the report notes that the conclusions should apply to Windows Vista and Windows 7 equally well.
In an additional experiment, the researchers deliberately configured Windows XP SP2 systems with a set number of critical vulnerabilities (chosen from the SANS Top 20 vulnerability list) and left those hosts unpatched. The results?
[T]he greater the number of vulnerabilities that a system has, the faster it is compromised. No system with six (6) or more unpatched network accessible vulnerabilities remained uncompromised for more than 15 days. A compromise occurred in as little as four (4) days on systems with two (2) vulnerabilities. A system with no critical vulnerabilities can be expected to survive for several months even without administrative interaction ...
As the report notes, each of these vulnerabilities was known. Proper patching and anti-malware or other system security software would have stopped the attacks cold.
That study deliberately left out human interaction. So what's the risk from drive-by attacks in Web browsers?
A second study, conducted over a three-month period this year in Denmark by CSIS Security Group, examined that very question. The researchers collected real-time data from a sample of more than 500,000 user exposures to poisoned web sites. These sites were rigged using so-called exploit kits—underground tools used by criminals to exploit vulnerabilities in popular software. According to CSIS, this type of attack accounts for up to 85% of all virus infections in the wild.
The result? Users who were infected became victims because they were missing security updates, typically for third-party programs.
On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader / Acrobat, Adobe Flash and Microsoft Internet Explorer.
The most striking part of all is the list of vulnerabilities used by these exploit kits. Of the 12 entries that made up the list, five had been patched a full year earlier, and half involved vulnerabilities that had been identified and fixed between 2004 and 2008.
The authors conclude: "[A]s much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages."
Windows Update covers the specific Microsoft vulnerabilities in that study. The real weak link is in third-party software, especially Adobe products and Oracle's Java. If you want to maintain a secure computing environment, make sure those products are updated regularly.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: If your PC picks up a virus, whose fault is it?
"Good old" Adobe and Java strike, yet again.
You forgot IE.
So should anyone start saying that people should uninstall Java and Adobe software...
RE: If your PC picks up a virus, whose fault is it?
Except that Acrobat and Flash auto-update too.
So if IE gets an exemption for being auto-updated, so do both Acrobat and Flash.
I'd probably agree with uninstalling the JRE though. The only way I manage to keep my Java up-to-date is by watching Oracle's site manually.
RE: so do both Acrobat and Flash.
The difference is that many people ignore the tray icons that notify updates of plug ins like Acrobat, Flash, Java and others. I cannot tell you how many machines I run into that are fully patched with Microsoft Critical and Security updates but as soon as you get into Windows the little Java tray icon and Adobe Tray Icon are there saying an update is available and the computer is a few revisions behind. When you talk to the owner they say "I have no idea what that was so I ignored it"
It is for that reason that I have become a fan of a free software called Secunia PSI that does a lot of this critical update checking and patching automatically.
Weird - my Flash updater launches a dialog box!
Flash tells me in no uncertain terms whenever it needs updating, immediately after I login.
RE: If your PC picks up a virus, whose fault is it?
If you've got a company network then you can push out some updates, Adobe Reader and Acrobat in particular, through Group Policy. But if you really care about this stuff there are many patch management products which allow you to push out and manage updates to all these products on your own schedule.
By the same token, if you have a company network you should be locking down client systems to prevent as much risky behavior as you can. So when Ed asks whose fault it is when *your* computer gets compromised, one of the possible answers is IT.
How do you run Windows Update, then?
<i>"A dialog box at login isn't an automatic update. I go weeks sometimes without logging off or shutting down. I'll never see that warning in that time."</i>
You'll see the warning immediately after Windows Update runs, though. Or do you ignore Patch Tuesdays too?
RE: If your PC picks up a virus, whose fault is it?
F**king Adobe Reader - Crashed my W7 !
It never got back. A blue screen and a wide error code suggests me that something in kernel or any core file wasn't updated properly and crashed everything. Worst: the Startup Repair can't repair it and for some reason the installer says that version of program isn't compatible with my version of Windows (is it kidding!? - It's the same DVD!).
Anyway, after log fighting and researching the only solution was to reinstall everything and didn't worked as in XP where it wipes out system files and everything keeps as before. Nope. It did a clean install messing the drives letters.
Conclusion: I've spent 2 days restoring system, applications, moving around about 100GB of files between partitions, downloaded 1GB of updates, downloaded a zillion emails through IMAP to Win Live Mail, etc etc etc etc.
Thanks Adobe. Go to the h3ll !
Adobe's frequent updates annoy me, BUT...
- how often I need to patch a serious/critical bug,
- the duration between learning about a bug, and having that bug patched.
Software that needs critical bugs patching every month is <b>not</b> of high quality! It's only when the critical bugs become rare that I dare to believe all of the "low hanging fruit" have been found and fixed. We certainly aren't there yet with either Java, Flash or I.E. - the current torrent of critical patches is evidence of that! I'm grateful that none of my machines has I.E. installed, but the constant stream of Flash patches sickens me. I get updates immediately from Adobe's Yum repository, but that's not the point: Flash is over 10 years old and I expect it to be more mature by now. Unfortunately for me, Flash is <i>required</i> on two of my "must have" sites, so I'm effectively stuck for now. But I don't need Adobe's reader at all, thanks to PDF being an Open Standard.
Which just leaves Java...
RE: If your PC picks up a virus, whose fault is it?
RE: If your PC picks up a virus, whose fault is it?
BULLPLOP! I have Adobe Reader installed on the two computers my parents use (Windows 7 64-bit based) and I installed those updates no problem.
Tell me this: cleaned your registry using something like Baku lately? If not, that is most likely your issue here.
RE: If your PC picks up a virus, whose fault is it?
I've heard that so many times X(.
Automatic updates should be AUTOMATIC, not "let's get a bit of permission first."
Yes
The necessity in running AV software is in itself a big failure.
Who's fault the problem is? The people who write and spread the malware of course, and Microsoft for making a platform without proper security.
RE: If your PC picks up a virus, whose fault is it?
"Software that needs critical bugs patching every month is not of high quality."
Wrong. There is no goddamned way that Microsoft, Apple, etc. are going to be able to think of EVERY SINGLE WAY that someone might attack the browser and/or catch every single mis-type/hole before a bad guy finds them or a white hat finds them.
Just IMPOSSIBLE with the sheer amount of code in Windows XP to 7. I M P O S S I B L E!
Sorry if you don't like that fact.... but it is just a fact!
The number of critical bugs is expected to tail off over time.
RE: If your PC picks up a virus, whose fault is it?
If my PC picks up a virus, it's the ISPs fault.
Shops have shoplifting detectors, why don't ISPs have virus detectors? After all, what good does it do to let viruses through to You customers?
RE: If your PC picks up a virus, whose fault is it?
I'm gonna have to say no. ISP's are kinda like the toll booths on the interstate. They give you access, but can't be held responsible for what happens on the road.