Good to see Java alive and well on the desktop ... I thought people only used it server side....
Java, Adobe vulns blamed for Windows malware mayhem
Failure to patch third-party applications has become the main reason that Windows machines get infected with malware. Drive-by download attacks from hacker-controlled websites loaded with exploits replaced infected email attachments as the main distribution method for malware somewhere between three to five years ago. At the …
-
Wednesday 28th September 2011 09:36 GMT semprance
Title is a bit misleading: are they really to blame? After all, if a carpenter fits a door and advises me to keep and maintain a working lock, is he to blame if I don't put a lock on, or put a lock on and fail to maintain it? Admittedly, Adobe (for example) is both the carpenter and the lock-maker, but they can't - and shouldn't - force anyone to install software on their computer, be it a whole software package or a single security update.
Not that they're not guilty of a thousand other crimes against computer security. It's just that the user has to actively click the Update Now button - it's a choice.
-
-
Wednesday 28th September 2011 15:27 GMT Ed Vim
Auto-update for most applications is a disputable reality. It's only a partial solution. As one of the previous comments already mentioned, using a computer with administrative privileges is a bad idea. Maybe more of an issue with WinXP than Win7 but still relevant, and this is definitely a issue that contrasts corporate systems and consumer systems. In most big companies the general user login account is a restricted one, limiting what the user can do, especially when it affects the operating system. It's the responsibility of the IT department to maintain and update things. Most home users use their computers by logging into a account they set up with administrative privileges, most unaware that's not a safe way to do so or some simply not patient enough to have to log out and into an administrative account for occasional maintenance.
-
-
Wednesday 28th September 2011 12:12 GMT Elmer Phud
Early doors
If windows is your house then do you regularly chek to ensure the doors not only have locks that work but also close, latch and keep the draught out.
Do you make sure the gate to the garden is secure or just leave it open?
Do you leave your bins outside the house or have a note asking the dustment to come in and get it themselves?
Do you invite people selling switch-over deals indoors without at least checking thier ID?
Don't blame the house - it's usually the occupant that screws up.
-
-
Wednesday 28th September 2011 09:36 GMT jubtastic1
Removing them works as well
And doesn't require constant patching, keep chrome around for the odd time a website doesn't fail back to HTML when flash isn't installed and get a third party app for PDF's.
Not a lot of help if you have to run Java apps but most users only interaction with java is through malware.
-
Wednesday 28th September 2011 09:36 GMT Peter 51
The joys of running plugins without being asked
I've lost two XP machines to drive by infections. Now with Flashblock and Foxit Reader instead of Adobe on Win 7 I'm *slightly* more confident, but what I really want it the equivilent of flashblock for all 3rd part plugin content. I really don't think there's a problem in asking me whether I want to load something or not ... that way I'd know if it was in response to something I'd clicked on.
-
Wednesday 28th September 2011 13:40 GMT Gordon Fecyk
"but what I really want it the equivilent of flashblock for all 3rd part plugin content."
It's called "Browse without add-ons" and it's been available since IE7.
As for preventing "drive-by infections," do you still surf as an administrator? I hope you at least have UAC turned on in Win7.
It's funny; two years on Win7, at least nine years on Win2K and I haven't lost a PC to those jokers, yet everyone around me has nothing but trouble. It's not like I use any secret CIA / MI6 / CSIS techniques. I just use what's built in to Windows and I just don't install garbage that needs admin access to run anymore.
-
-
Wednesday 28th September 2011 17:35 GMT Anonymous Coward
Doubt it.
Any person who has half a clue on how this stuff works can be fairly confident that nothing will happen. I'm in the same boat as Gordon; I've stopped running anti-virus software for years now and I've used nothing but Windows for my OS. The only time I've had any problems is when I carelessly ran dodgy software I downloaded from bittorrent. That was my own fault.
I'm too lazy for an 'alternative' OS.
-
-
-
Wednesday 28th September 2011 10:10 GMT Joe Montana
Diversity!
Hackers will go for the largest possible target... A few years ago when 95% of web users ran IE it made an attractive target, now that it is down to 40% it's less interesting.
On the other hand, the programs which are being targeted are still on over 90% of users machines, including those using non-IE browsers.
If these programs had competitors such that the market was split up, then they would be much less attractive targets too. Monocultures are very bad for security.
Another problem that compounds the issue, is the lack of a centralised package system on windows... Every app needs its own crufty update system, which waste resources and end up getting turned off. Linux has a much better approach, add your repository to the system package manager and then it will get updated at the same time as everything else.
-
Wednesday 28th September 2011 15:27 GMT Gordon Fecyk
"Another problem that compounds the issue, is the lack of a centralised package system on windows... "
Last I checked, it was called "Microsoft Systems Installer," or "Windows Installer." Been available for Windows since ME and 2K, and backported as far as Windows 95. Plenty of third-party tools for creating and managing packages too, including patches (MSP).
Making vendors use them, well, that's like herding cats. At least Adobe and Oracle have MSI packages available for their products.
-
Wednesday 28th September 2011 17:20 GMT Anonymous Coward
What really hacks me off,
is management having a web based accounting package that depends on a Java version that was already 6 months obsolete (as in not supported, not just not the newest) when I started here over 2 years ago. And no visible plans in sight to fix it.
Grrr...
AC for obvious reasons.
-
-
Wednesday 28th September 2011 11:10 GMT Ken Hagan
99.8% of what, exactly?
"99.8 per cent of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages"
Umm, yes, that quote does appear in the linked article. However, it is unsupported by the evidence in their pie charts...
37% Java
32% Acrobat
16% Flash
10% IE
3% HCP (Windows Help)
2% Quicktime
The first five add up to only 98%, not 99.8% and presumably the collection of six has been normalised to 100%, since other vectors exist, so I think either the "5" or the "99.8" must be wrong. Be that as it may...
...Am I alone in being depressed that the original purpose of #1 was to be a sandbox and the original purpose of the next 5 was (or certainly ought to have been) the presentation of dumb content?
-
Wednesday 28th September 2011 11:10 GMT Anonymous Coward
Things are improving…
Once upon a time, it was the OS that was vulnerable. The security issues are slowly rising up the stack, which IMO is a good thing.
Yes, clearly Microsoft is learning, and now Adobe and Oracle must pull their collective fingers out and "fix their $#!t". I see this as the industry moving forward.
The fact that it's Sun (Oracle) Java and Macromedia (Adobe) Flash which are two of the biggest culprits today worries me though, as they're pieces of software that are common to many platforms including MacOS X and Linux, not just Windows.
Finger's crossed we can rid the need of Java and Flash, and can push the (superior) alternative PDF viewers, and that should improve the security landscape quite a bit. (Or it'll just push the crackers to tackle other targets…)
-
Wednesday 28th September 2011 11:45 GMT Fuzz
Java
Java is a menace, if you have an application that mandates a particular version of Java then you can't update. Obviously this is just sloppy coding that ties an application to a version but it means that corporate desktops are wide open to this kind of attack.
Flash is very nearly as bad. The auto mechanism requires you to be an administrator on your computer. Keeping flash up to date using group policy requires you to constantly check version numbers.
Say what you like about Microsoft but WSUS is a fantastic tool for keeping all your Microsoft software patched across a large deployment of computers.
-
Wednesday 28th September 2011 12:35 GMT Anonymous Coward
MS policy of exclusion is to blame
The important question to ask is why windows update doesn't handle third-party software. Other operating systems have had software-distribution mechanisms which are able to include 3rd-party software since online software distribution took off with the commercialisation of the internet in the 1990s. A system update on any of my systems updates everything regardless of origin except software that I've built and installed from source myself, and it's been like that for more than a decade.
MS still choose the excluding path. It's their choice, but don't blame others for their mess.