How Windows gets malware
When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java, Adobe Reader/Acrobat and Adobe Flash. This is revealed by a survey conducted by CSIS Security Group A/S. This group has been collecting data for 3 months on actual infections of computers by drive-by attacks on browsers. Drive-by attacks are when you go to an innocent website and get a virus anyway. This is typically from ads or hacked links.
Basis of the study
CSIS has over a period of almost three months actively collected real time data from various so-called exploit kits. An exploit kit is a commercial hacker toolbox that is actively exploited by computer criminals who take advantage of vulnerabilities in popular software. Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.
The purpose of this study is to reveal precisely how Microsoft Windows machines are infected with malware and which browsers, versions of Windows and third party software that are at risk.
CSIS monitored more than 50 different exploit kits on 44 unique servers / IP addresses. Figures come from the underlying statistical modules, thereby ensuring an as precise overview of the threat landscape as possible. The statistical material covers all in all more than half a million user exposures out of which as many as 31.3 % were infected with the virus/malware due to missing security updates.
Among the vulnerabilities we have observed abused by the monitored exploit kits, we find:
CVE-2010-1885 Microsoft Help & Support HCP
CVE-2010-1423 Java Deployment Toolkit insufficient argument validation
CVE-2010-0886 Java Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE
CVE-2010-0842 Java JRE MixerSequencer Invalid Array Index Remote Code Execution Vulnerability
CVE-2010-0840 Java trusted Methods Chaining Remote Code Execution Vulnerability
CVE-2009-1671 Java buffer overflows in the Deployment Toolkit ActiveX control in deploytk.dll
CVE-2009-0927 Adobe Reader Collab GetIcon
CVE-2008-2992 Adobe Reader util.printf
CVE-2008-0655 Adobe Reader CollectEmailInfo
CVE-2006-0003 IE MDAC
CVE-2006-4704 Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
CVE-2004-0549 ShowModalDialog method and modifying the location to execute code
The report above describes those operating systems, browsers, and applications that are vulnerable in the real world scenarios they have observed. Here it is slimmed down:
Internet Explorer is the worst offending browser. Mozilla is second.
Windows XP, Windows 7, and Windows Vista are the worst offending operating systems.
Java, Adobe Reader, and Adobe Flash are the worst offending applications.
Salient point is that, fully updated and patched installs let 70% of the infections through. Mainly because the technology is reactive. Even more salient is that only 13% of the successful infections relied on software that was Windows only (10% were IE exploits, 3% were Windows Help exploits) All you folks encourgaging your friends and families to buy Macs for the specific reason of their security are in for a world of hurt in a few years when Mac hits ~30+% market share. Kits are already starting to appear.
Conclusion: 99.8 % of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages:
Java JRE 37%
Adobe Reader/Acrobat 32%
Adobe Flash 16%
MS Internet Explorer 10%
Windows HCP (Help) 3%
Apple Quicktime 2%
For the sake of security, I would not run Java, Adobe anything or Internet Exploiter.
We don’t want you getting viruses because it’s difficult to remove and more importantly, expensive and time consuming.
1. Uninstall java. Most end users never have a need for it and don’t update it.
2. Use Chrome to read PDFs or use Foxit. No need for Adobe, but to be fair Adobe’s new sandbox model in version X is resistant to viral infections and exploits.
3. Update flash as often as it says or switch to Chrome.
4. Use ESET NOD32 & HitmanPro for protection
