Ten years later, Windows XP still dominates the Web

Hopefully with Windows 8 and Defender built in, that will change.

 

Yeah, I'm hoping that the Windows 8 store will allow you to download applications besides metro apps and handle the updating of those applications similar to how Linux software repos work. This would be incredibly helpful for less computer-savvy users who don't want to/ know to check for updates.

 

If by applications you mean Win32 apps, you can keep dreaming I guess. The app store will probably be for WinRT apps only (the new sandboxed apps), which will be auto updated, or have the store tile change to have a digit next to it, representing the amount of updates available, a la Windows Phone.

This ties into an earlier announcement that Win32 apps will not be auto updated, as it is now, because they aren't tied to the store.

 

That's really a shame.

 

From my point of view, the answer is in two parts:

1) cybercriminals know that the majority of users world wide do not install patches. (IE6 users who installed the MS06-014 patch were/are immune from this exploit.)

The Conficker worm is a more recent sensational example, and in my Post #94 above, I quoted Microsoft's complaint that the patch for the vulnerability MS08-067 had been released one month before the arrival of Conficker.

2) cybercriminals know that the average user does not have security in place to block the download/installation of the malicious executable payload.​

See my Post #208 above for catching this MDAC exploit payload.

Years ago, most people in my circle of security-minded friends realized that the easiest exploit to catch is the remote code execution (aka drive-by) that delivers a malicious executable payload, certainly the preponderance of exploits used in the current Exploit Kits, such as Black Hole. I discovered this with the WMF exploit in late 2005 (more than six years ago -- how time flies, and how nothing really changes!) See my Post #139 above.

Recently, a good illustration of my point 2 above is the Google et al fiasco with the Aurora exploit:

Operation “Aurora” Hit Google, Others
http://siblog.mcafee.com/cto/operation-“aurora”-hit-google-others/

It's absolutely unconscionable that large organizations such as Google don't have secure end point protection in place -- such stuff has been talked about since at least 2004.

In the "upgrade-to-be-secure" department, some will remember that a number of exploits against Windows 7 surfaced:

New SMB Zero-Day Exploit?
November 12th, 2009
http://blog.trendmicro.com/new-smb-zero-day-exploit/

Internet Explorer CSS 0day on Windows 7
Dec 20 2010
http://www.offensive-security.com/offsec/internet-explorer-css-0day-on-windows-7/

OK, to rehash my disclaimers from previous posts:

• None of this is to advocate that people shouldn't update/patch their browser or operating system
  
  
• Rather, it's possible to have security in place for these types of exploits when they do surface in the wild, so that the user is protected in case of the 0-day stuff, should the user encounter such a thing. Then, panic and fear are held at bay pending the arrival of the patch, whether by the usually-late Adobe, and sometimes-late Microsoft.
  
  
• Just having the latest version of a piece of software doesn't mean a user is invulnerable to possible exploitation.
  
  
• People have different ways of approaching security, and it's not possible from a distance (on a forum) to really judge the effectiveness of any person's approach without very detailed information about the person's knowledge/expertise, computing habits, and much more.

----
rich

 

You can never really tell, can you... My approach is basically...nil desperandum

 

How about a third part? ...

-http://technet.microsoft.com/en-us/security/bulletin/ms06-014

...because there are still plenty of click-happy users.

 

Or use an ever more common method, compromise a legitimate site that people use.

 

Sure, but it doesn't necessarily mean instant infection, because often the user gets re-directed to a site that attempts to install malware/rogue programs on them, the threat of which can be ended by closing the page unless, of course, it's a click-happy user.

 

With all the talk about Windows 8 in this thread, I thought it might be a good time to throw this link out:

PC World (Consolidated Windows 8 Coverage)

A good article about things to look forward to in Windows 8 in 2012:
http://www.pcworld.com/businesscent...ons_to_look_forward_to_windows_8_in_2012.html

It looks like Microsoft will be making a big push to get people to upgrade online. No need for a disc. You will be able to upgrade from Windows 7 to Windows 8 online. The marketing budget is said to be much larger than any other OS they've ever released. With instant upgrades to Windows 8 (they claim 11 clicks) online, you can imagine the advertising: "Be running the new Windows 8 (or whatever they choose to call it) in minutes!"

It will be interesting.

 

You won't Know until you try !

It's interesting to note you say ANY, because that includes you, Without AE etc. Whereas .......

MAY, does NOT automatically = Rooted

Amongst Lots of nasties i've tested, i've actually tried to run Many nasty RK's with my setup & they do NOT run, never mind Install etc I even allowed several to Install last year that encrypts the HD until you pay a ransom to unlock it. Due to my having SD enabled, after a reboot it was 100% back to normal I posted screenies of it in action etc on here.

kareldjag has been around for Many years, & done Scores of tests with Lots of Apps etc & Malware. Plenty of good info etc on his www - http://kareldjag.over-blog.com

 

Interesting. I didn't know there were plans for a store in Win 8. But in XP (since that's the topic of this thread) you can choose to automatically check for MS software updates along with Windows Updates. So that takes care of MS software. Then whenever you open third party software, most of them check for updates and notify you if there are any to install (adobe, java, browsers, AVs, sandboxie...). I think a more realistic way to handle that is for all the apps to have their own automatic update process. IMO they should all default to auto updates, and the user should have to manually disable it if that's how they want to go. There are programs like ninite installer that will check for updates on software not included in MS updates. Maybe that's a solution for the people you're talking about specifically.

Anyway the real advantage I see of the Linux repositories is that there are thousands of geek eyes on the code whenever anything gets added. Therefore it's really tough to get anything malicious to slip past the geeks. As long as MS is closed, there's no prayer for anything like that from them.

 

The strongest part of a repository in my opinion is that you get constant patches and it handles all of them. No worries about an out of data Java/ Flash, it does it for you.

 

Uh oh...

Who's most gullible online and why? Secrets from scam world revealed

 

I guess i think otherwise, personally Windows XP was never as user friendly as Windows 7. Basic things such as configuring your DSL Provider Modem could turn into a mess.

So for me it's Windows 7 FTW!!

 

That's what I get for making a generalization! lol

 

I note that any OS with AE can be infected because I think AE is fairly useless. If I gave you a HIPS that reliably alerted you to every call made by programs you could easily thwart virtually every piece of malware (assuming my HIPS isn't vulnerable) - every time you ran a malicious program on your machine you could easily disable it before it got started, every time you let it run you could prevent it from hurting your system or doing anything nefarious. You could stop exploits through trustworthy programs or anything else.

But it would be absolutely awful security because it's all based on the user and the second you trust a file you'll just allow it to do whatever you like.

Now Shadow Defender is actually a much better program when used properly. That's a security method I can definitely get behind.

 

I still love it!

 

The problem isn't the HIPS or its use as a security enforcement tool. The real problem is the word I bolded, trust. When legitimate sites get hacked, the DNS system is proven vulnerable, and malicious code is written by professionals criminals, big industries, and even governments, trust gets you owned. Never blindly trust anything related to the web, including what you download from it. Always check it. Always test it. Always have a way back to where you started from.

I haven't looked at Internet Explorer in years, but the last I did, they had the entire internet zone idea backwards. Creating a zone more restrictive than the internet zone is pointless. What is the point of putting a site in the restricted zone after you've already been there with more permissive settings? At a minimum, the internet zone should be the restricted zone with increasing levels of trust allowed after that.

 

But what happens after a verified trusted site moved to a less restrictive zone gets exploited, and you open it before the exploit is discovered and removed?

 

Your implication is that an AE (anti-executable) program is useless because it doesn't micro-control what executables do when running. This statement is disingenuous, or at least misleading. Not everyone wants (or deems necessary) that type of micro-control. So, using AE and HIPS in the same statement is not appropriate.

A simple AE's sole purpose in life is to prevent remote code execution (aka drive-by) exploits from succeeding. "Drive-by" is not a useful term, because remote code execution also includes autorun exploits on USB media, for example. No Stuxnet attack can succeed.

My (and colleagues') experience with exploits in the wild have shown that it doesn't matter which version of the OS is used: protection is sound.

With that type of attack covered, the user is left with what you refer to as the problem of the user trusting a file.

This gets into a completely different aspect of security, and I will just reiterate my statement from a previous post that does no good to judge from a distance (on a forum) how users secure their computers and make decisions about trusting what they run.

I think this discussion of security measures has strayed way beyond the intention of this thread.

regards,

----
rich

 

I agree....but it tends to happen, a lot,....digression.

 

That's where the rest of your security policy comes into play, starting with isolating the attack surface, preventing any malicious payload it delivers from executing, and moving, removing, or denying access to its ultimate target. With most attacks, there's many points at which it can be intercepted and defeated.

 

That makes perfect sense to me, but wouldn't that same security policy protect you equally as well if the site started off in the less restrcitive zone and was expoited before it was moved to a more restrictive one?

I'm just asking these questions because lately I've been wondering about the best way to set up the zones, focusing more on the Internet and Restricted ones (IE9). I came up with my own approach for sites I trust requiring Java, and rather than placing them in the Trusted or even Internet zone, I place them in the restricted zone which I've modified to allow Java but I've kept all the other Restricted zone settings at their defaults. My reasoning here is that if one of them does get exploited, as Java is such a big target, the other restrictve settings in the zone can at least potentially play a part in mitigating any damage the exploit could do. I figure an exploited Java site in the restricted zone - modified to allow Java - is far less likely to cause damage than if were exploited in the Trusted zone

This approach isn't necessarily written in stone for me, as I'm thinking over other possibilities as well.

 

In the You-are-more-secure-with-the current-Operating-System department:

An article posted in another thread by ronjor, has the following statement, which seems more appropriate to comment on here:

Well, these statements are always frustrating because no details of how the compromise took place are given.

But taking the statements at face value, that running an "antiquated" Operating System is to blame, I have a few notes about scareware. Here is one pertaining to the operating system and the implication that a modern OS is "far more secure":

Google doodle takes you to scareware sites
12 May 2011, 17:08
http://www.h-online.com/security/news/item/Google-doodle-takes-you-to-scareware-sites-1242208.html

Common to most scareware infection analyses is this:

So, it's really a social engineering ploy that starts everything, a ploy that can easily fool/coerce the unaware user.

Therefore it's not really fair to lay all of the blame on an older version of an OS, or assume more security by running a newer version, as implied in the article.


----
rich