Fix Old Flaws to Stop New Attacks
Making sure you've fixed these old security holes will go a long way towards keeping your PC safe from current attacks.
Erik Larkin
Tuesday, November 03, 2009 09:50 AM PST

In further confirmation that Internet crooks tend to grab for the low-hanging fruit, a new Microsoft report reveals that the most common browser-based attacks tend to go after old software flaws. Making sure you've closed those holes can go a long way towards keeping your PC safe.

Browser-based exploits form the basis for some of the sneakiest and most dangerous attacks out there today. Crooks insert hidden attack code on a hijacked Web site that searches for a software vulnerability whenever anyone views the poisoned site. If the attack code finds a flaw, it will attempt to surreptitiously download and install a Trojan or other malicious software. If an antivirus app doesn't manage to catch it, the malware gets installed with nary a clue for the hapless victim.

These drive-by-download attacks sometimes go after the latest software flaws, but as revealed by Microsoft's new Security Intelligence Report v7, most of the attacks against Windows XP go after old Windows and third-party software flaws going as far back as 2006. Of the top 10 attacks, only one was from 2009. That's good news, since it means that basic maintenance and security measures will go a long way towards keeping your PC safe.

These are the most common browser-based exploits, as determined from Microsoft's analysis of "data from customer-reported incidents, submissions of malicious code, and Microsoft Windows error reports."

Third-party software:

CVE-2008-2992
- flaw in Adobe Acrobat and Reader
CVE-2006-5198
- WinZip
CVE-2007-0015
- QuickTime
CVE-2007-5659
- Adobe Reader

Windows holes:

MS08-041
- Microsoft Office Snapshot Viewer
MS09-002
- Internet Explorer
MS06-057
- Internet Explorer
MS08-078
- Internet Explorer
MS06-01
- Microsoft Data Access Components
MS06-055
- Microsoft VML


The names here tell when the flaw was discovered (MS06 = 2006, for example), and as you can see, crooks love the golden oldies. Many of these attacks probably go after pirated Windows installs that never get updates.

Enabling Automatic updates in Windows will guard from attacks against any of the listed Windows flaws, and to protect against the third-party software flaws, make sure you have the latest software versions available. For vulnerable older software such as the vulnerable, three-year-old WinZip, that might require a manual version check and update. Or you can take the easy route and use the free Secunia PSI software, which will scan your system for outdated vulnerable software and provide simple links to update it.

For Vista attacks, only one of the most common exploits listed went after a Windows flaw (Internet Explorer). The rest targeted third-party software such as Adobe Reader or RealPlayer, with old flaws again providing a common target. As with XP, running Automatic updates and Secunia PSI should safeguard any PC from the most common exploits.

Another good protection step is to apply the patch to turn off AutoRun for USB drives. As noted by the Washington Post, Microsoft's report also shows that some of the most common malware will infect thumb drives and wait to be connected to another PC. When that happens, the malware takes advantage of AutoRun to run automatically and attempt to infect the new PC.

A Microsoft patch - which doesn't distribute via Automatic Updates, per the Washington Post - will turn off AutoRun for USB drives and guard against this infection vector. You'll need to download and install this patch yourself.

And finally, for other simple security steps that can go a long way towards keeping you safe, see The Five Most Dangerous Security Myths.

The Five Most Dangerous Security Myths: Myth #5
The worst myth: We're all doomed. Stay offline.
Erik Larkin
Thursday, January 08, 2009 12:23 PM PST

You've cleared away most of the web of myth. You know that today's evil viruses and other malware exist to make money, that antivirus alone is no guarantee of safety, and that neither is your own good sense (as important as that is). And you know that some of the best protection comes from keeping your software and your operating system up-to-date.

Now it's time to make sure you don't fall for the final and potentially worst myth: That the crooks own the Internet, and that the only good option is to use it as little as possible. Denying yourself the cornucopia of benefits the Internet can bring out of fear of its dark side.

Yes, you can get nailed. But that shouldn't stop you from venturing online, any more than the potential for getting the flu should prevent you from ever leaving your house. If you know the risks and prepare for them adequately, you can weight the odds heavily in your favor and confidently enjoy what the Web has to offer.

You can't ever eliminate all risk, no more than you can guarantee complete safety in the real world. But with these simple steps you can give yourself very good odds.

1.Know the score. Know that the crooks are out for money, and that they can make money stealing anything from files to credit card numbers to Webmail passwords.

2. To combat drive-by-downloads and other attacks that take advantage of hidden software flaws, keep your software up-to-date. Use Automatic updates wherever possible, and for finding and patching the rest I'm a big fan of the free Secunia PSI.

3. To guard against con jobs (aka social engineering), double-check any e-mail attachment or download you're not 100 percent sure about. Heck, even double-check those. Virustotal.com offers a terrific free service that will scan any file you send (up to 10MB in size) with 37 different antivirus engines. There's still the potential for a very carefully crafted targeted attack to slip by all those engines, but the odds on that - and on your being the target of such a labor-intensive attack - are pretty slim.

4. Protect your passwords. If you have to type one on a risky PC - especially at an Internet cafe or other public PC - change it as soon as you get home. That goes for Webmail, online games, and pretty much anything else - crooks can and will abuse any of them for profit.

5. Use a good antivirus product. Their ability to detect and block malware varies greatly, so make sure yours is in the top tier for detection results. Check reviews from PC World and other sites and publications to make sure you're well covered.

You don't have to be a tech guru to cover any of these steps, and none of them will take much time either. But following them will go a long way towards denying the crooks without denying yourself.