Failure to patch third-party applications has become the main reason that Windows machines get infected with malware. Drive-by download attacks from hacker-controlled websites loaded with exploits replaced infected email attachments as the main distribution method for malware somewhere between three to five years ago. At the …
Good to see Java alive and well on the desktop ... I thought people only used it server side....
Nah, personally I love java and its constant pestering to update and install toolbar of the week...
Removing them works as well
And doesn't require constant patching, keep chrome around for the odd time a website doesn't fail back to HTML when flash isn't installed and get a third party app for PDF's.
Not a lot of help if you have to run Java apps but most users only interaction with java is through malware.
and people castigate apple..
for not putting flash on their systems!!
I think apple knows their user base pretty well eh?
I wouldn't expect them to be the most diligent at patching.
The joys of running plugins without being asked
I've lost two XP machines to drive by infections. Now with Flashblock and Foxit Reader instead of Adobe on Win 7 I'm *slightly* more confident, but what I really want it the equivilent of flashblock for all 3rd part plugin content. I really don't think there's a problem in asking me whether I want to load something or not ... that way I'd know if it was in response to something I'd clicked on.
Methinks you need to use a better browser. A mountain bike to your penny farthing, you might say.
"but what I really want it the equivilent of flashblock for all 3rd part plugin content."
It's called "Browse without add-ons" and it's been available since IE7.
As for preventing "drive-by infections," do you still surf as an administrator? I hope you at least have UAC turned on in Win7.
It's funny; two years on Win7, at least nine years on Win2K and I haven't lost a PC to those jokers, yet everyone around me has nothing but trouble. It's not like I use any secret CIA / MI6 / CSIS techniques. I just use what's built in to Windows and I just don't install garbage that needs admin access to run anymore.
That you know of...
Gordon Fecyk says: "It's funny; two years on Win7, at least nine years on Win2K and I haven't lost a PC to those jokers..."
Any person who has half a clue on how this stuff works can be fairly confident that nothing will happen. I'm in the same boat as Gordon; I've stopped running anti-virus software for years now and I've used nothing but Windows for my OS. The only time I've had any problems is when I carelessly ran dodgy software I downloaded from bittorrent. That was my own fault.
I'm too lazy for an 'alternative' OS.
Title is a bit misleading: are they really to blame? After all, if a carpenter fits a door and advises me to keep and maintain a working lock, is he to blame if I don't put a lock on, or put a lock on and fail to maintain it? Admittedly, Adobe (for example) is both the carpenter and the lock-maker, but they can't - and shouldn't - force anyone to install software on their computer, be it a whole software package or a single security update.
Not that they're not guilty of a thousand other crimes against computer security. It's just that the user has to actively click the Update Now button - it's a choice.
Yes it is their fault...
... if they put on a known faulty lock on in the first place.
Auto-update (for security patches, not feature improvements) should be automatic and the user ought to have to explicitly choose to opt-out, accompanied with appropriately scary warnings. i.e. the sensible behaviour should be the default.
If windows is your house then do you regularly chek to ensure the doors not only have locks that work but also close, latch and keep the draught out.
Do you make sure the gate to the garden is secure or just leave it open?
Do you leave your bins outside the house or have a note asking the dustment to come in and get it themselves?
Do you invite people selling switch-over deals indoors without at least checking thier ID?
Don't blame the house - it's usually the occupant that screws up.
Auto-update for most applications is a disputable reality. It's only a partial solution. As one of the previous comments already mentioned, using a computer with administrative privileges is a bad idea. Maybe more of an issue with WinXP than Win7 but still relevant, and this is definitely a issue that contrasts corporate systems and consumer systems. In most big companies the general user login account is a restricted one, limiting what the user can do, especially when it affects the operating system. It's the responsibility of the IT department to maintain and update things. Most home users use their computers by logging into a account they set up with administrative privileges, most unaware that's not a safe way to do so or some simply not patient enough to have to log out and into an administrative account for occasional maintenance.
Hey, I like the draught!
Elmer Phud says: "If windows is your house then do you regularly chek to ensure the doors not only have locks that work but also close, latch and keep the draught out."
Why would you intentionally buy a door with a faulty lock, especially when there are numerous alternative 'doors'?
So 48% Adobe exploits, 37% Java exploits, 10% IE exploits, 2% Quicktime exploits, leaving 3% of exploits accounted for by World+Dog, which seems to be mostly Microsoft Help & Support HCP. Nasty. Right, I'm off to stackoverflow.... sorry Adobe!
Hackers will go for the largest possible target... A few years ago when 95% of web users ran IE it made an attractive target, now that it is down to 40% it's less interesting.
On the other hand, the programs which are being targeted are still on over 90% of users machines, including those using non-IE browsers.
If these programs had competitors such that the market was split up, then they would be much less attractive targets too. Monocultures are very bad for security.
Another problem that compounds the issue, is the lack of a centralised package system on windows... Every app needs its own crufty update system, which waste resources and end up getting turned off. Linux has a much better approach, add your repository to the system package manager and then it will get updated at the same time as everything else.
"Another problem that compounds the issue, is the lack of a centralised package system on windows... "
Last I checked, it was called "Microsoft Systems Installer," or "Windows Installer." Been available for Windows since ME and 2K, and backported as far as Windows 95. Plenty of third-party tools for creating and managing packages too, including patches (MSP).
Making vendors use them, well, that's like herding cats. At least Adobe and Oracle have MSI packages available for their products.
What really hacks me off,
is management having a web based accounting package that depends on a Java version that was already 6 months obsolete (as in not supported, not just not the newest) when I started here over 2 years ago. And no visible plans in sight to fix it.
AC for obvious reasons.
Things are improving…
Once upon a time, it was the OS that was vulnerable. The security issues are slowly rising up the stack, which IMO is a good thing.
Yes, clearly Microsoft is learning, and now Adobe and Oracle must pull their collective fingers out and "fix their $#!t". I see this as the industry moving forward.
The fact that it's Sun (Oracle) Java and Macromedia (Adobe) Flash which are two of the biggest culprits today worries me though, as they're pieces of software that are common to many platforms including MacOS X and Linux, not just Windows.
Finger's crossed we can rid the need of Java and Flash, and can push the (superior) alternative PDF viewers, and that should improve the security landscape quite a bit. (Or it'll just push the crackers to tackle other targets…)
99.8% of what, exactly?
"99.8 per cent of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages"
Umm, yes, that quote does appear in the linked article. However, it is unsupported by the evidence in their pie charts...
3% HCP (Windows Help)
The first five add up to only 98%, not 99.8% and presumably the collection of six has been normalised to 100%, since other vectors exist, so I think either the "5" or the "99.8" must be wrong. Be that as it may...
...Am I alone in being depressed that the original purpose of #1 was to be a sandbox and the original purpose of the next 5 was (or certainly ought to have been) the presentation of dumb content?
Java is a menace, if you have an application that mandates a particular version of Java then you can't update. Obviously this is just sloppy coding that ties an application to a version but it means that corporate desktops are wide open to this kind of attack.
Flash is very nearly as bad. The auto mechanism requires you to be an administrator on your computer. Keeping flash up to date using group policy requires you to constantly check version numbers.
Say what you like about Microsoft but WSUS is a fantastic tool for keeping all your Microsoft software patched across a large deployment of computers.
And there was me thinking
it was the completely unrealistic Wx security model.
Adobe must be proud
How is it possible that one third-party vendor can be responsible for nearly half of all attacks on an entire software platform? Are they really that bloody useless at coding decent software? That really is incompetence on a staggering, global, level.
MS policy of exclusion is to blame
The important question to ask is why windows update doesn't handle third-party software. Other operating systems have had software-distribution mechanisms which are able to include 3rd-party software since online software distribution took off with the commercialisation of the internet in the 1990s. A system update on any of my systems updates everything regardless of origin except software that I've built and installed from source myself, and it's been like that for more than a decade.
MS still choose the excluding path. It's their choice, but don't blame others for their mess.
Commercially licenses apps?
How many commercially license applications are included in those updates you perform?
I really do not see the point in having to approve the license on each and every update, it is madness. Anyway, I have started to use Secunia PSI and that works well in the background, so they appear to have got around the problem.
No word on
Whose fault it is that browser plugins are allowed to do pretty much anything on a windows system, thus allowing for malware to spread that way.
After all, when's the last time there _wasn't_ a zero day adobe reader exploit?