For a long time Microsoft was reluctant, to the point of obstinance about fixing the inherent insecurity of Windows. They weren’t the only ones. Other software outfits still behave that way.
After much pressure and criticism, it finally dawned on Microsoft that their long-term survival depended on getting serious about security. Bill Gates himself made it a formal mandate. Microsoft began to work on security in an organized way, and continue to do so. It’s not perfect, but Windows presents a much tougher target now.
The new attack points: Windows’ soft underbelly
All software contains bugs. Every new program you install increases what’s called the attack surface. Some bugs create chinks in the armor that allow new ways to attack your computer. Microsoft Office itself introduces new vulnerabilities. New flaws are found regularly in Internet Explorer and Firefox. Chrome was riddled with holes when it was first introduced.
Adobe Reader [see below], Flash Player [see below] and many other programs are also more vulnerable than Windows itself. The result has been that most bad guys have shifted their attacks from Windows itself to the programs running on Windows.
Prompt updates are one key to protecting this soft underbelly of Windows PCs. Particularly browsers and other internet-facing programs. Microsoft, Mozilla and Google do a good job staying on top of newly discovered attack points. But not all software companies do.
It’s tough to keep all your programs up to date. I install Secunia PSI (Personal Software Inspector) to make it easier. PSI scans your computer and gives you a report of any programs that are not up to date. My score today is 100%.
Update: I didn’t know that Secunia PSI uses Flash. That may explain some of the problems I’ve had with updating Adobe Flash Player. The answer is to be sure Secunia PSI isn’t running when you update Flash Player. You must stop it from the icon in the Taskbar Tray, or use Task Manager to stop the PSI process. More may be required:
PSI uses Flash, and it leaves the old FlashXX.ocx in the “c: \ windows \ system32 \ macromed \ flash” directory. Sometimes users can simply close all instances of their browsers (make sure they are not still running by checking in Task Manager > Processes) and delete the old FlashXX.ocx file. Sometimes the file is locked. In that case, restart the computer, exit PSI process from Task Manager > Processes, and delete the old OCX file.
Dealing with Adobe foibles
Adobe was caught flat-footed by the shifting attacks, and showed the same attitude toward security that Microsoft once did. They have come around to some extent, but their update processes haven’t worked well.
Adobe Shockwave Player: I uninstalled this plug-in as it is rarely needed.
Adobe Flash is a virtual necessity these days though. Many mainstream websites simply won’t work without Adobe Flash Player. So I use it, but the usual way to update Flash Player often fails for me, so I wanted a more reliable process.
I now use Adobe’s manual process to update Flash Plug-ins. It ends up being easier, as well as more reliable than the automatic way.
When an update is available, my first step is to uninstall Flash using Adobe’s special tool. This tool uninstalls Flash from Internet Explorer and Firefox at the same time. Adobe recommends that you restart your computer after that, but I haven’t found it to be necessary.
Then I download the update files for Flash Player directly from Adobe (you need one for IE and one for Firefox), and install them manually. You might find this method necessary too. Here’s the links you’ll need for all this:
- Update: Be sure that you are logged on to only one Windows user account before you start the steps below. At least for IE. Otherwise when you try to uninstall Adobe Flash Player, it will appear to, but not actually uninstall.
- Check your Adobe Flash Player versions (do it from both IE and Firefox).
- If you need to update Adobe Flash proceed to this page and find instructions for the steps below. (This link may change. Look in the Help section for Adobe Flash to find instructions.)
- Manually uninstall old versions of Flash Player.
- Download the latest manual installers for Flash Player (one for IE and one for other browsers) and re install Flash.
Google persuaded Adobe to let them have direct control of installing and updating Flash Player for Chrome. Firefox may do the same.
Java is nearly as big a threat as Flash
A new rash of attacks is now aimed at Java. You may or may not have Java installed on your PC. Java is similar to Flash, but not as widely used by websites. There is only one website that I regularly use that requires it, so I keep Java disabled most of the time. You might want to just uninstall Java. If you later find you need it for something, you can decide if you want to reinstall it.
Oracle has a webpage where you can check to see if you have Java, and if it is up to date. If you have Java installed, you’ll find a Java control in Control Panel. One way to find it is to open Control Panel, and type “Java” (without the quotes) in the Search Control Panel search box.
The Java control gives you the option to set Java to check for updates. I haven’t had as much trouble with Java updates as I have with Adobe Flash updates. If I did, I’d first try uninstalling Java, and then reinstall it. The links below will be useful in managing Java in your browser[s] of choice.
- For people who would be more confused than protected with a full-on solution: I install Firefox, and add the NoScript extension (plus a few other handy ones that aren’t related to the problem).
I set the general NoScript option to “Allow Scripts Globally (dangerous)” That removes some of the protection, of course, but it leaves in place some powerful protection against the worst kinds of attacks.
- For myself: I install Firefox and NoScript, but I don’t allow scripts globally.