If your PC picks up a virus, whose fault is it?

If your PC picks up a virus, whose fault is it?

Summary: Want to avoid being attacked by viruses and other malware? Two recent studies reveal the secret: regular patching. A fully patched system with a firewall enabled offers almost complete protection against drive-by attacks and outside intruders.

SHARE:

Want to stay safe online? Update your software. All of it.

Two recent studies add tremendous evidence to support the notion that regular patching is the single most important element in any security program. In fact, a fully patched system with a firewall enabled offers almost complete protection against viruses, worms, and other malicious software being installed without user interaction.

First up is an exhaustive two-year study that was completed last year but only recently published. The study's results were presented by independent security researcher Craig S Wright at the Computer Audit Control Security conference in Australia last month.( A copy of the full report is available in the SANS Reading Room.)

The test involved more than 640 hosts running Windows XP Professional with no third-party applications and with auto-updating disabled. With the Windows firewall turned off, the mean time before a host was compromised was just over 18 hours, with the Conficker worm doing more than its fair share of damage.

Also read:

But once a firewall was turned on—the default configuration for every Windows system shipped in the past seven years—the numbers changed dramatically:

With the firewall enabled, the mean survival time of the Windows XP SP2 systems increased to 336 days. No system with this control enabled was compromised in less than 108 days.

And even that vastly improved number overestimates the extent of the problem. Remember, these sample PCs had auto-updating disabled. So how were outside attackers able to break in?

In the results of the 640 hosts that were used for this experiment, no system was compromised with a zero-day attack. Many new and novel attacks against known vulnerabilities did occur, but not a single compromise was due to an unreported vulnerability. Further, no attack without a patch was used to compromise any of the systems. This means that if the systems had been patched, none of the attacks would have succeeded.

That study covered Windows XP, but the report notes that the conclusions should apply to Windows Vista and Windows 7 equally well.

In an additional experiment, the researchers deliberately configured Windows XP SP2 systems with a set number of critical vulnerabilities (chosen from the SANS Top 20 vulnerability list) and left those hosts unpatched. The results?

[T]he greater the number of vulnerabilities that a system has, the faster it is compromised. No system with six (6) or more unpatched network accessible vulnerabilities remained uncompromised for more than 15 days. A compromise occurred in as little as four (4) days on systems with two (2) vulnerabilities. A system with no critical vulnerabilities can be expected to survive for several months even without administrative interaction ...

As the report notes, each of these vulnerabilities was known. Proper patching and anti-malware or other system security software would have stopped the attacks cold.

That study deliberately left out human interaction. So what's the risk from drive-by attacks in Web browsers?

A second study, conducted over a three-month period this year in Denmark by CSIS Security Group, examined that very question. The researchers collected real-time data from a sample of more than 500,000 user exposures to poisoned web sites. These sites were rigged using so-called exploit kits—underground tools used by criminals to exploit vulnerabilities in popular software. According to CSIS, this type of attack accounts for up to 85% of all virus infections in the wild.

The result? Users who were infected became victims because they were missing security updates, typically for third-party programs.

On the basis of the total statistical data of this study it is documented that following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader / Acrobat, Adobe Flash and Microsoft Internet Explorer.

The most striking part of all is the list of vulnerabilities used by these exploit kits. Of the 12 entries that made up the list, five had been patched a full year earlier, and half involved vulnerabilities that had been identified and fixed between 2004 and 2008.

The authors conclude: "[A]s much as 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages."

Windows Update covers the specific Microsoft vulnerabilities in that study. The real weak link is in third-party software, especially Adobe products and Oracle's Java. If you want to maintain a secure computing environment, make sure those products are updated regularly.

Topics: Malware, Hardware, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

170 comments
Log in or register to join the discussion
  • RE: If your PC picks up a virus, whose fault is it?

    An interesting article Ed. :)

    "Good old" Adobe and Java strike, yet again.
    lehnerus2000
    • You forgot IE.

      @lehnerus2000<br>I believe the full sentence read:<br><i>"[the] following products frequently are abused by malware in order to infect Windows machines: Java JRE, Adobe Reader / Acrobat, Adobe Flash and <b>Microsoft Internet Explorer</b>."</i> (my emphasis).

      So should anyone start saying that people should uninstall Java and Adobe software...
      Zogg
      • RE: If your PC picks up a virus, whose fault is it?

        @Zogg: Of course, IE is automatically updated via Windows Update, addressing any vulnerabilities. Which brings us right back to @lehnerus2000 and Ed's point: Third-party products such as Adobe and Java are problematical, and need special attention.
        Johnula
      • Except that Acrobat and Flash auto-update too.

        @Johnula
        So if IE gets an exemption for being auto-updated, so do both Acrobat and Flash.

        I'd probably agree with uninstalling the JRE though. The only way I manage to keep my Java up-to-date is by watching Oracle's site manually.
        Zogg
      • RE: so do both Acrobat and Flash.

        @Zogg

        The difference is that many people ignore the tray icons that notify updates of plug ins like Acrobat, Flash, Java and others. I cannot tell you how many machines I run into that are fully patched with Microsoft Critical and Security updates but as soon as you get into Windows the little Java tray icon and Adobe Tray Icon are there saying an update is available and the computer is a few revisions behind. When you talk to the owner they say "I have no idea what that was so I ignored it"

        It is for that reason that I have become a fan of a free software called Secunia PSI that does a lot of this critical update checking and patching automatically.
        bobiroc
      • Weird - my Flash updater launches a dialog box!

        @bobiroc
        Flash tells me in no uncertain terms whenever it needs updating, immediately after I login.
        Zogg
      • RE: If your PC picks up a virus, whose fault is it?

        @Zogg A dialog box at login isn't an automatic update. I go weeks sometimes without logging off or shutting down. I'll never see that warning in that time.

        If you've got a company network then you can push out some updates, Adobe Reader and Acrobat in particular, through Group Policy. But if you really care about this stuff there are many patch management products which allow you to push out and manage updates to all these products on your own schedule.

        By the same token, if you have a company network you should be locking down client systems to prevent as much risky behavior as you can. So when Ed asks whose fault it is when *your* computer gets compromised, one of the possible answers is IT.
        Larry Seltzer
      • How do you run Windows Update, then?

        @larry
        <i>"A dialog box at login isn't an automatic update. I go weeks sometimes without logging off or shutting down. I'll never see that warning in that time."</i>

        You'll see the warning immediately after Windows Update runs, though. Or do you ignore Patch Tuesdays too?
        Zogg
      • RE: If your PC picks up a virus, whose fault is it?

        @Zogg <br>I think the auto updateing problem is simply put "PEBCAK" (Problem Exists Between Chair And Keyboard) and the fact that these updaters for Adobe and Java do not run automatically but depend on users to WANT to run them. I am not a big fan of updaters because they run in the background all the time and can slow down system performance. Flash sites like "You Tube" are great because they will at least inform you that your Adobe Flash is out of date and essentially force you to update the software. That is my 2 Cents Worth...<br><br>And by the Way, Your emphasis about IE is accurate in my book. I have yet to see an IE that does not allow "Drive by Downloads". I do Malware Removal at a tech shop and Find that the Systems that use IE as their primary browser (compared to Mozilla and or Chrome) will have more nastier malware such as rootkits, hijackers, rogue-antimalware suites, so forth. <br><br>Though I will not argue that some consumers that just want to turn it on and not worry about updates will have the issues that Ed is presenting here in a mostly correct context but skewed in the fact that they depend on user interaction to be updated. Were Windows Updates done in a similar fashion such as in the pre-XP days (might be pre-2000. hmm...).
        Daschmi
      • F**king Adobe Reader - Crashed my W7 !

        @Zogg The day before yesterday Adobe Reader installed an update (YES, ANOTHER ONE) and asked me to restart my PC.
        It never got back. A blue screen and a wide error code suggests me that something in kernel or any core file wasn't updated properly and crashed everything. Worst: the Startup Repair can't repair it and for some reason the installer says that version of program isn't compatible with my version of Windows (is it kidding!? - It's the same DVD!).
        Anyway, after log fighting and researching the only solution was to reinstall everything and didn't worked as in XP where it wipes out system files and everything keeps as before. Nope. It did a clean install messing the drives letters.
        Conclusion: I've spent 2 days restoring system, applications, moving around about 100GB of files between partitions, downloaded 1GB of updates, downloaded a zillion emails through IMAP to Win Live Mail, etc etc etc etc.
        Thanks Adobe. Go to the h3ll !
        nanomartin
      • Adobe's frequent updates annoy me, BUT...

        I consider two metrics for software quality:
        - how often I need to patch a serious/critical bug,
        - the duration between learning about a bug, and having that bug patched.

        Software that needs critical bugs patching every month is <b>not</b> of high quality! It's only when the critical bugs become rare that I dare to believe all of the "low hanging fruit" have been found and fixed. We certainly aren't there yet with either Java, Flash or I.E. - the current torrent of critical patches is evidence of that! I'm grateful that none of my machines has I.E. installed, but the constant stream of Flash patches sickens me. I get updates immediately from Adobe's Yum repository, but that's not the point: Flash is over 10 years old and I expect it to be more mature by now. Unfortunately for me, Flash is <i>required</i> on two of my "must have" sites, so I'm effectively stuck for now. But I don't need Adobe's reader at all, thanks to PDF being an Open Standard.

        Which just leaves Java...
        Zogg
      • RE: If your PC picks up a virus, whose fault is it?

        @Zogg <br>Stupid forum software deleted my reply (it was here last night).<br><br>IE comes in at #4.<br>I didn't mean to imply that IE was 100% safe, what browser is?<br>I use Firefox.<br><br>The browser doesn't matter, if the problem is with Adobe and/or Java software.<br><br>Zero Day<br><b>37 percent of users browsing the Web with insecure Java versions</b><br><a href="http://www.zdnet.com/blog/security/37-percent-of-users-browsing-the-web-with-insecure-java-versions/9541" target="_blank" rel="nofollow">http://www.zdnet.com/blog/security/37-percent-of-users-browsing-the-web-with-insecure-java-versions/9541</a><br><br>You don't have to uninstall them, if you never install them. ;)<br><br>@Johnula<br>I didn't have any thing to say about IE because I haven't used it for about 5 years and as you point out it gets updated by Windows Update.<br>I commented about Adobe and Java because they have been on my PC during that time and they always need updating which is often a pain (especially Flash).
        lehnerus2000
      • RE: If your PC picks up a virus, whose fault is it?

        @nanomartin

        BULLPLOP! I have Adobe Reader installed on the two computers my parents use (Windows 7 64-bit based) and I installed those updates no problem.

        Tell me this: cleaned your registry using something like Baku lately? If not, that is most likely your issue here.
        Lerianis10
      • RE: If your PC picks up a virus, whose fault is it?

        "When you talk to the owner they say 'I have no idea what that was so I ignored it'"

        I've heard that so many times X(.

        Automatic updates should be AUTOMATIC, not "let's get a bit of permission first."
        CobraA1
      • Yes

        and a Windows plagued with second rate security.
        The necessity in running AV software is in itself a big failure.
        Who's fault the problem is? The people who write and spread the malware of course, and Microsoft for making a platform without proper security.
        Mikael_z
    • RE: If your PC picks up a virus, whose fault is it?

      @Zogg

      "Software that needs critical bugs patching every month is not of high quality."

      Wrong. There is no goddamned way that Microsoft, Apple, etc. are going to be able to think of EVERY SINGLE WAY that someone might attack the browser and/or catch every single mis-type/hole before a bad guy finds them or a white hat finds them.

      Just IMPOSSIBLE with the sheer amount of code in Windows XP to 7. I M P O S S I B L E!

      Sorry if you don't like that fact.... but it is just a fact!
      Lerianis10
      • The number of critical bugs is expected to tail off over time.

        @Lerianis10<br><i>"Wrong. There is no goddamned way that Microsoft, Apple, etc. are going to be able to think of EVERY SINGLE WAY that someone might attack the browser and/or catch every single mis-type/hole before a bad guy finds them or a white hat finds them."</i><br><br>I seem to have touched a nerve... ;-). But I never suggested that software would ever be PERFECT (i.e. has no errors). Simply that over time we expect errors to get fixed, and for the discovery rate of new errors to decrease. Hence high quality software has fewer errors, which become increasingly difficult to find.<br><br>So (e.g.) 10 year old software that is still receiving critical patches every month is <b>not</b> high quality. I'm sorry if <i>you</i> don't like that, but quite frankly, <u>tough!</u>
        Zogg
    • RE: If your PC picks up a virus, whose fault is it?

      @lehnerus2000 <br><br>Yeah I just got something called <a href="http://www.ihowtoremove.com/guard-online-virus/" target="_blank">guard online virus</a> anyone know anything about it?
      reviewsgirl
    • If my PC picks up a virus, it's the ISPs fault.

      I would say that the fault lies with the internet service providers. They could, and should, stop all virus activities. So why don't they? Because viruswriters also pay for internet connections? Or is it just plain laziness?

      Shops have shoplifting detectors, why don't ISPs have virus detectors? After all, what good does it do to let viruses through to You customers?
      Dukhalion
      • RE: If your PC picks up a virus, whose fault is it?

        @Dukhalion

        I'm gonna have to say no. ISP's are kinda like the toll booths on the interstate. They give you access, but can't be held responsible for what happens on the road.
        Pcdad