The new war against hackers and malware

For a long time Microsoft was reluctant, to the point of obstinance about fixing the inherent insecurity of Windows. They weren’t the only ones. Other software outfits still behave that way.

After much pressure and criticism, it finally dawned on Microsoft that their long-term survival depended on getting serious about security. Bill Gates himself made it a formal mandate. Microsoft began to work on security in an organized way, and continue to do so. It’s not perfect, but Windows presents a much tougher target now.

The new attack points: Windows’ soft underbelly

All software contains bugs. Every new program you install increases what’s called the attack surface. Some bugs create chinks in the armor that allow new ways to attack your computer. Microsoft Office itself introduces new vulnerabilities. New flaws are found regularly in Internet Explorer and Firefox. Chrome was riddled with holes when it was first introduced.

Adobe Reader [see below], Flash Player [see below] and many other programs are also more vulnerable than Windows itself. The result has been that most bad guys have shifted their attacks from Windows itself to the programs running on Windows.

Prompt updates are one key to protecting this soft underbelly of Windows PCs. Particularly browsers and other internet-facing programs. Microsoft, Mozilla and Google do a good job staying on top of newly discovered attack points. But not all software companies do.

Secunia PSI

It’s tough to keep all your programs up to date. I install Secunia PSI (Personal Software Inspector) to make it easier. PSI scans your computer and gives you a report of any programs that are not up to date. My score today is 100%. Smile

Update: I didn’t know that Secunia PSI uses Flash. That may explain some of the problems I’ve had with updating Adobe Flash Player. The answer is to be sure Secunia PSI isn’t running when you update Flash Player. You must stop it from the icon in the Taskbar Tray, or use Task Manager to stop the PSI process. More may be required:

PSI uses Flash, and it leaves the old FlashXX.ocx in the “c: \ windows \ system32 \ macromed \ flash” directory. Sometimes users can simply close all instances of their browsers (make sure they are not still running by checking in Task Manager > Processes) and delete the old FlashXX.ocx file. Sometimes the file is locked. In that case, restart the computer, exit PSI process from Task Manager > Processes, and delete the old OCX file.

Dealing with Adobe foibles

Adobe was caught flat-footed by the shifting attacks, and showed the same attitude toward security that Microsoft once did. They have come around to some extent, but their update processes haven’t worked well.

Adobe PDF Reader is a favorite target of attackers.  I switched from Adobe Reader to Nitro PDF Reader (PDF-XChange Viewer is another good alternative) to avoid dealing with Reader updates. The alternative readers start and run much faster anyway. I also go into the preferences menu and disable JavaScript. That makes any PDF reader much more secure, and JavaScript is not needed for viewing most PDF files.

Adobe Shockwave Player: I uninstalled this plug-in as it is rarely needed.

Adobe Flash is a virtual necessity these days though. Many mainstream websites simply won’t work without Adobe Flash Player. So I use it, but the usual way to update Flash Player often fails for me, so I wanted a more reliable process.

I now use Adobe’s manual process to update Flash Plug-ins. It ends up being easier, as well as more reliable than the automatic way. Winking smile

When an update is available, my first step is to uninstall Flash using Adobe’s special tool. This tool uninstalls Flash from Internet Explorer and Firefox at the same time. Adobe recommends that you restart your computer after that, but I haven’t found it to be necessary.

Then I download the update files for Flash Player directly from Adobe (you need one for IE and one for Firefox), and install them manually. You might find this method necessary too. Here’s the links you’ll need for all this:

    1. Update: Be sure that you are logged on to only one Windows user account before you start the steps below. At least for IE. Otherwise when you try to uninstall Adobe Flash Player, it will appear to, but not actually uninstall. Sad smile
    2. Check your Adobe Flash Player versions (do it from both IE and Firefox).
    3. If you need to update Adobe Flash proceed to this page and find instructions for the steps below. (This link may change. Look in the Help section for Adobe Flash to find instructions.)
    4. Manually uninstall old versions of Flash Player.
    5. Download the latest manual installers for Flash Player (one for IE and one for other browsers) and re install Flash.

Google persuaded Adobe to let them have direct control of installing and updating Flash Player for Chrome. Firefox may do the same.

Java is nearly as big a threat as Flash

Don’t confuse Java with JavaScript. They are totally different animals.

A new rash of attacks is now aimed at Java. You may or may not have Java installed on your PC. Java is similar to Flash, but not as widely used by websites. There is only one website that I regularly use that requires it, so I keep Java disabled most of the time. You might want to just uninstall Java. If you later find you need it for something, you can decide if you want to reinstall it.

Oracle has a webpage where you can check to see if you have Java, and if it is up to date. If you have Java installed, you’ll find a Java control in Control Panel. One way to find it is to open Control Panel, and type “Java” (without the quotes) in the Search Control Panel search box.

The Java control gives you the option to set Java to check for updates. I haven’t had as much trouble with Java updates as I have with Adobe Flash updates. If I did, I’d first try uninstalling Java, and then reinstall it. The links below will be useful in managing Java in your browser[s] of choice.

    1. Check to see if you have Java, and if it is up to date.
    2. Disable Java in Internet Explorer.
    3. Disable Java in Firefox.
    4. Disable Java in Chrome.
    5. Uninstall Java.
    6. Mucho importante: Uninstall older versions of Java.

JavaScript

Don’t confuse JavaScript with Java. They are totally different animals.

JavaScript has always been a favorite attack vector. But the majority of websites use JavaScript, and some of them won’t work at all unless you have JavaScript enabled in your browser. It’s just not practical to disable JavaScript.

Each browser—IE, Chrome, Firefox, …—has it’s own unique JavaScript engine. Right now there’s a big contest to see who can come up with the fastest engine. But that’s beside the point.

Here’s how I personally deal with the JavaScript threat:

  1. I set up Windows 7 so the user normally runs as a Standard User, not an Administrator. This greatly increases immunity to all kinds of threats as well as disabling attack by JavaScript. [more]
  2. For people who would be more confused than protected with a full-on solution: I install Firefox, and add the NoScript extension (plus a few other handy ones that aren’t related to the problem).
    I set the general NoScript option to “Allow Scripts Globally (dangerous)” That removes some of the protection, of course, but it leaves in place some powerful protection against the worst kinds of attacks.
  3. For myself: I install Firefox and NoScript, but I don’t allow scripts globally. Winking smile

This entry was posted in Security and tagged , , . Bookmark the permalink.