My concern with Microsoft's automatic updates is that I don't want to be their guinea pig for untested software. I never install updates automatically on the theory that other people will, and will pay the price on my behalf for doing so.
Otherwise, everything you advise is spot on.
Posted by
Arnold, Riverside, CA on July 12, 2008:
I just recently installed Microsoft updates for Windows XP, which included a 'security update'. The result was that my system was so secure that I could not access the internet. This however was the exception, I have installed many other updates with no problems, so I would say install the updates and if they don't work back them out and go on.
Posted by
Diana, Ontario, Canada on July 14, 2008:
Probably 80-90% of malware infections could be eliminated with two simple steps: (1) stop using Internet Explorer (except for when visiting Windows Update) and switch to a less vulnerable (note that I do not say invulnerable, only less vulnerable!) browser (Opera, Firefox, Safari) instead, and (2) uninstall Outlook Express or Outlook and start using another email program (Thunderbird, Pegasus, Becky, The Bat!, Eudora) instead.
If you can manage to live without MS Messenger (try an alternative like Trillian or Pidgin) as well, that's even better. My parents' computer hasn't had a single malware infection since I switched them over (almost ten years ago now), and I've never had an infection on my personal or work computers. Yes, we run antivirus software as well - the paid version of AVG now, but the free AVG for years previously - but I can barely recall the last time that anything other than a deliberate test file got far enough to set the antivirus off.
To combat spam in particular, another important step that people need to take is to never, ever, ever email anything to multiple email addresses with those addresses displayed in either the "To" or "CC" fields. When emailing a group of people, make your own email address the "To" and put everyone else in the "BCC" field, so that you don't put your acquaintances' email addresses at the risk of someone else's potentially infected computer. Also, it's extremely important to remove all addresses from the body of messages that you're forwarding, for the exact same reason.
(Of course, people should also be checking snopes.com to confirm the validity of "news" items that they feel the need to forward to everyone in their address book because otherwise they're just being spammers themselves!)
---
All of your suggestions are excellent. -rc
Posted by
Chris, Melbourne (AU) on July 15, 2008:
Diana of Ontario, your ideas are excellent. (I've been doing and advising the same for years.) Personally, I don't bother with the automatic updates; but anybody with a completely unpatched XP system - and I presume the older Windowses are even more at risk, but I won't say anything about Vista - anybody with unpatched XP on the internet is both foolish and naive.
A couple of weeks ago, my laptop needed to be sent off to Sydney for IBM service. In the meantime, I needed a lappy to take with me on the bus (as an aside, I'm typing this message while sitting on a bus - on my own laptop again - and it runs XP). I borrowed another ThinkPad from a family member, removed the hard drive, and put in a new one. Since I didn't have access to my usual facilities, I just carried a Windows XP install CD with me on the bus, and installed Windows immediately prior to using it. Knowing full well that I was going to be at extreme risk, I strongly restricted the things I did. How long did it take before the system was compromised? About TWO MINUTES. I wish I'd timed it down to the second, because it was so quick that the HH:MM clock on the start bar just wasn't accurate enough to say how long it took.
The next time I needed a spare laptop (I repartitioned and formatted the hard disk as soon as I got home, without connecting the laptop to the network), I installed XP and then applied Service Pack 2. This was an improvement; in fact, it took TWENTY minutes before I was compromised. Wow, a 900% improvement!! But still hardly something I'd recommend. By comparison, I've been using my main laptop for over a year now; when I set it up, it had all Windows updates to that point applied, but I've not applied any more since. So far... not compromised. System's running fine.
So what does this mean? I think it means that there are people out there who port scan huge blocks of IPs, looking for systems that can be attacked by the oldest exploits in the book; the newer exploits aren't worth their while to look for. So if you have a Windows computer, you NEED to apply at least SP2 and all the current "Critical" patches; but Automatic Updates isn't nearly as important.
One point to note: The attacks took place without me ever touching IE, MSN Messenger, Outlook, or any of the above. These are the patches necessary if you want to run Windows with only trusted software. (In this instance, I was running RosMud++, a MUD client written in pure C++, and to which I have the full source - I KNOW that it's not going to cause problems.) If you use Firefox, keep an eye on the updates; if you use IE, you probably need more of the Windows Updates. Don't sue me for advising against WU when you went browsing dodgy sites and got "got" by some rogue ActiveX control! :-)
The unfortunate reality is that Windows core services have MANY vulnerabilities. It's not possible to enumerate them all; the only thing to hope for is that Microsoft release patches for them before TOO many crackers start exploiting them. Alas, Microsoft are none too swift in releasing patches... so the best thing to do, if you're going to use Windows, is to have a combination of a software and a hardware firewall. With that, you may not be 100% safe, but you're pretty close to it.
Posted by
Eric, Shrewsbury MA on July 15, 2008:
At work I did an update for Windows XP and it so totally trashed my system IT just gave me a new system rather than fix it.
I decided from that point on I would turn off automatic update at home and I haven't updated since. Of course I have a hardware firewall and run anti-virus software so that runs a lot, but I can't afford to lose my whole system and I'm not turning automatic update on until I get a new computer, if then. Or, until a virus trashes my system more thoroughly than Microsoft Update did.
---
My guess: the earlier trashing happened because the system was already infected by a virus. -rc
Posted by
Graham Cluley, Sophos on July 16, 2008:
Yes, you're right that keeping up-to-date with security patches and browser updates helps lessen the chance of infection. Unfortunately, however, many home users still seem to be getting infected by malware which logic suggests that there is no reason for them to get infected by (if they have been practising safe computing tips).
Therefore, it is these home users - who keep getting hit, time and time again - who might want to consider switching to Mac next time they upgrade their PC... not because Apple Macs are better, but simply because there are less bad guys targeting them.
We've tried educating these people about patches and updates and safe computing, and it just hasn't worked... so maybe rather than bashing our heads against a brick wall we should just suggest that they go to a place where they are less likely to get hit in the eye by an arrow.
My name is spelt Cluley by the way, but well done on a very funny pun.
Cheers
Graham Cluley, senior technology consultant, Sophos
---
I have fixed the unintentional misspelling, though left the intentional one; I'm sure you've heard that pun many times, so I appreciate your sense of humor.
Yes, I agree that there are fewer malware authors targeting the Mac platform -- currently. If numbers were to reverse, leaving Windows a tiny portion of the market and Mac strongly dominant, that targeting will also reverse. People will have spent many thousands only to become a target again, putting them back on square 1 -- and leaving us with a problem again. Escalating the war doesn't really solve anything.
A crackpot theory? Nope: before the PC became dominant the Mac was indeed in this position. Viruses were unheard of anywhere but the Mac. I'm not sure how old you are, but I certainly remember it. -rc
Are You Responsible for Spam? - Comments
Posted by Juan, Washington on July 12, 2008:
My concern with Microsoft's automatic updates is that I don't want to be their guinea pig for untested software. I never install updates automatically on the theory that other people will, and will pay the price on my behalf for doing so.
Otherwise, everything you advise is spot on.
Posted by Arnold, Riverside, CA on July 12, 2008:
I just recently installed Microsoft updates for Windows XP, which included a 'security update'. The result was that my system was so secure that I could not access the internet. This however was the exception, I have installed many other updates with no problems, so I would say install the updates and if they don't work back them out and go on.
Posted by Diana, Ontario, Canada on July 14, 2008:
Probably 80-90% of malware infections could be eliminated with two simple steps: (1) stop using Internet Explorer (except for when visiting Windows Update) and switch to a less vulnerable (note that I do not say invulnerable, only less vulnerable!) browser (Opera, Firefox, Safari) instead, and (2) uninstall Outlook Express or Outlook and start using another email program (Thunderbird, Pegasus, Becky, The Bat!, Eudora) instead.
If you can manage to live without MS Messenger (try an alternative like Trillian or Pidgin) as well, that's even better. My parents' computer hasn't had a single malware infection since I switched them over (almost ten years ago now), and I've never had an infection on my personal or work computers. Yes, we run antivirus software as well - the paid version of AVG now, but the free AVG for years previously - but I can barely recall the last time that anything other than a deliberate test file got far enough to set the antivirus off.
To combat spam in particular, another important step that people need to take is to never, ever, ever email anything to multiple email addresses with those addresses displayed in either the "To" or "CC" fields. When emailing a group of people, make your own email address the "To" and put everyone else in the "BCC" field, so that you don't put your acquaintances' email addresses at the risk of someone else's potentially infected computer. Also, it's extremely important to remove all addresses from the body of messages that you're forwarding, for the exact same reason.
(Of course, people should also be checking snopes.com to confirm the validity of "news" items that they feel the need to forward to everyone in their address book because otherwise they're just being spammers themselves!)
---
All of your suggestions are excellent. -rc
Posted by Chris, Melbourne (AU) on July 15, 2008:
Diana of Ontario, your ideas are excellent. (I've been doing and advising the same for years.) Personally, I don't bother with the automatic updates; but anybody with a completely unpatched XP system - and I presume the older Windowses are even more at risk, but I won't say anything about Vista - anybody with unpatched XP on the internet is both foolish and naive.
A couple of weeks ago, my laptop needed to be sent off to Sydney for IBM service. In the meantime, I needed a lappy to take with me on the bus (as an aside, I'm typing this message while sitting on a bus - on my own laptop again - and it runs XP). I borrowed another ThinkPad from a family member, removed the hard drive, and put in a new one. Since I didn't have access to my usual facilities, I just carried a Windows XP install CD with me on the bus, and installed Windows immediately prior to using it. Knowing full well that I was going to be at extreme risk, I strongly restricted the things I did. How long did it take before the system was compromised? About TWO MINUTES. I wish I'd timed it down to the second, because it was so quick that the HH:MM clock on the start bar just wasn't accurate enough to say how long it took.
The next time I needed a spare laptop (I repartitioned and formatted the hard disk as soon as I got home, without connecting the laptop to the network), I installed XP and then applied Service Pack 2. This was an improvement; in fact, it took TWENTY minutes before I was compromised. Wow, a 900% improvement!! But still hardly something I'd recommend. By comparison, I've been using my main laptop for over a year now; when I set it up, it had all Windows updates to that point applied, but I've not applied any more since. So far... not compromised. System's running fine.
So what does this mean? I think it means that there are people out there who port scan huge blocks of IPs, looking for systems that can be attacked by the oldest exploits in the book; the newer exploits aren't worth their while to look for. So if you have a Windows computer, you NEED to apply at least SP2 and all the current "Critical" patches; but Automatic Updates isn't nearly as important.
One point to note: The attacks took place without me ever touching IE, MSN Messenger, Outlook, or any of the above. These are the patches necessary if you want to run Windows with only trusted software. (In this instance, I was running RosMud++, a MUD client written in pure C++, and to which I have the full source - I KNOW that it's not going to cause problems.) If you use Firefox, keep an eye on the updates; if you use IE, you probably need more of the Windows Updates. Don't sue me for advising against WU when you went browsing dodgy sites and got "got" by some rogue ActiveX control! :-)
The unfortunate reality is that Windows core services have MANY vulnerabilities. It's not possible to enumerate them all; the only thing to hope for is that Microsoft release patches for them before TOO many crackers start exploiting them. Alas, Microsoft are none too swift in releasing patches... so the best thing to do, if you're going to use Windows, is to have a combination of a software and a hardware firewall. With that, you may not be 100% safe, but you're pretty close to it.
Posted by Eric, Shrewsbury MA on July 15, 2008:
At work I did an update for Windows XP and it so totally trashed my system IT just gave me a new system rather than fix it.
I decided from that point on I would turn off automatic update at home and I haven't updated since. Of course I have a hardware firewall and run anti-virus software so that runs a lot, but I can't afford to lose my whole system and I'm not turning automatic update on until I get a new computer, if then. Or, until a virus trashes my system more thoroughly than Microsoft Update did.
---
My guess: the earlier trashing happened because the system was already infected by a virus. -rc
Posted by Graham Cluley, Sophos on July 16, 2008:
Yes, you're right that keeping up-to-date with security patches and browser updates helps lessen the chance of infection. Unfortunately, however, many home users still seem to be getting infected by malware which logic suggests that there is no reason for them to get infected by (if they have been practising safe computing tips).
Therefore, it is these home users - who keep getting hit, time and time again - who might want to consider switching to Mac next time they upgrade their PC... not because Apple Macs are better, but simply because there are less bad guys targeting them.
We've tried educating these people about patches and updates and safe computing, and it just hasn't worked... so maybe rather than bashing our heads against a brick wall we should just suggest that they go to a place where they are less likely to get hit in the eye by an arrow.
My name is spelt Cluley by the way, but well done on a very funny pun.
Cheers
Graham Cluley, senior technology consultant, Sophos
---
I have fixed the unintentional misspelling, though left the intentional one; I'm sure you've heard that pun many times, so I appreciate your sense of humor.
Yes, I agree that there are fewer malware authors targeting the Mac platform -- currently. If numbers were to reverse, leaving Windows a tiny portion of the market and Mac strongly dominant, that targeting will also reverse. People will have spent many thousands only to become a target again, putting them back on square 1 -- and leaving us with a problem again. Escalating the war doesn't really solve anything.
A crackpot theory? Nope: before the PC became dominant the Mac was indeed in this position. Viruses were unheard of anywhere but the Mac. I'm not sure how old you are, but I certainly remember it. -rc
Read the article that everyone's commenting on, or post a comment about it.