Results 1 to 15 of 15
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    The myths and facts of zero-day threats




    IN THE WILD

    The myths and facts of zero-day threats

    By Robert Vamosi

    A new Microsoft study finds malware more often targets patched vulnerabilities than those still awaiting a patch (zero-day infections).

    Additionally, over the first half of 2011, user downloads and compromised removable drives were more likely to lead to malware infections than any other method.

    The full text of this column is posted at WindowsSecrets.com/in-the-wild/the-myths-and-facts-of-zero-day-threats (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    2 Star Lounger
    Join Date
    Jun 2010
    Location
    sydney
    Posts
    164
    Thanks
    22
    Thanked 16 Times in 14 Posts
    I see a lot of recommends for Secunia's PSI around the traps, and I run it myself, but it has a fixed once a week schedule and it only "cares" about known security patches.

    So I also run the FileHippo Update Checker at start up, as a consequence PSI almost always reports 100%.

    FileHippo Update Checker is less intrusive than similar widgets from other download sites; in fact it doesn't intrude, or call home without permission etc.

    PSI doesn't see all applications, nor does FileHippo Update Checker, but it sees more than PSI. So you need to keep track of some s/w yourself.

    FileHippo sometimes doesn't provide the link for the 64 bit version, but its improving in that respect, I've had that problem with PSI too.

  3. #3
    3 Star Lounger
    Join Date
    Mar 2010
    Location
    USA
    Posts
    301
    Thanks
    65
    Thanked 39 Times in 30 Posts

    ...fewer reported vulnerabilities in Win7 than in Windows XP...

    MS reports that "...found fewer reported vulnerabilities in Win7 than in Windows XP...", and recommends up grade to Win7.
    Using data to fit the purpose? I say: Yes. Self serving? I say: Yes.

    To be fair, there is a tinny bit, tiny, valid logic to the recommendation.

    I say, it is because of the vast number of XP installed base, versus relatively much less Win7 PCs today, that gives the skewed data, to the advantage of Win7.
    I dare say, there is almost zero attack on Windows 3.0 and DOS 3.0. Should we regress?!!
    Also, anything newer, fresh out of the door, is bound to be less vulnerable by virtue of its newness, and, usually better built against attacks as well. I dare say, again, there is zero attack on Win8, today.
    In the old days, even if 101% (!) of Apple PCs were infected, it is only 5-10% of the total PC market. Volume makes a big difference.

  4. #4
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Windows 7 really is more secure than Windows XP. The firewall and Patch Guard are examples of improvements which may show real-world results.

    I am not surprised by anything in the report. My sister is an experienced Systems Analyst, and she got her own XP Netbook infected with ConfickerB through a camera SD Card which she was using on multiple friends' computers. (We discovered this when we were transferring pictures onto my own Windows 7 laptop -- which does have Microsoft Security Essentials installed.) My sister finally relented and installed Microsoft Security Essentials into the laptop after a lengthy reformat and rebuild experience.

    But there was still something more. Before the rebuild, my sister's browser (out of date Firefox) had gotten hijacked. Malwarebytes Portable in Safe Mode found four or more infections, and in Windows Normal Mode, even more. She had used the Netbook on Public (hotel) Networks. No user actions were involved, so I slightly disagree with the Microsoft finding that there are very few attacks which do not involve direct access to the computer.

    Anyway, my sister had not updated Firefox, Flash Player, Java Runtimes, or Adobe Reader. She thought that using Foxit Reader would protect her if she did not run Adobe Reader. This was wrong. (Similarly, running Firefox does not absolve the user from updating IE.) Her installation of Foxit Reader had installed the Foxit Ask.com Toolbar into IE7, her native Windows browser version (also unpatched).

    Well, I did recommend a trip to Microsoft Updates (she at least does have Windows XP SP3 installed). And she MAY have decided that Secunia PSI is OK to have. That would have caught the Adobe Reader, Java Runtime and Flash Player exploits.

    What I use for software updates checking is free KC Softwares SUMO Lite (No RK). The Lite (No RK) version does not include spyware or adware. I find this updates checker to be perfectly adequate for most common free and paid programs for Windows XP and Windows 7.

    My own opinion of advanced heuristics (zero-day protections) is that they put out false-positives, often block access to system resources, and are a general pain in the neck. The system performance hit is definitely not worth the little bit of added protections. I removed Avast 6 from my own Windows XP SP3 laptop when it marked the Windows Recycle Bin as malicious and would not let me empty it. And don't get me started about all the problems I had with Prevx-2!

    Bottom line: Yes, use active shields on the order of what MSE provides. Use a third-party firewall for Windows XP if you feel you must, and make sure you have a recent clean Image Backup if you use public WiFi. Use second-opinion malware scanners once in awhile. And keep your software, especially browsers and plug-ins, up to date. Java and .NET must not be forgotten. With free software installers and updaters, beware "piggyback" adware and spyware offers. But the best defense is as Microsoft says -- do not let your vigilance and common sense lapse when you are on line. User action is indeed the greatest security threat out there.
    Last edited by bobprimak; 2011-10-20 at 15:34.
    -- Bob Primak --

  5. The Following User Says Thank You to bobprimak For This Useful Post:

    Duchess843 (2011-10-22)

  6. #5
    2 Star Lounger
    Join Date
    Jun 2010
    Location
    sydney
    Posts
    164
    Thanks
    22
    Thanked 16 Times in 14 Posts
    Quote Originally Posted by scaisson View Post
    MS reports that "...found fewer reported vulnerabilities in Win7 than in Windows XP...", and recommends up grade to Win7.
    Using data to fit the purpose? I say: Yes. Self serving? I say: Yes.

    To be fair, there is a tinny bit, tiny, valid logic to the recommendation.

    I say, it is because of the vast number of XP installed base, versus relatively much less Win7 PCs today, that gives the skewed data, to the advantage of Win7.
    According to W3, and based on internet usage - September 2011 - Win7 42%, XP 36%

    The installed base stats are also skewed. I worked at a site with ~1500 XP under the desk PC's, all with IE6 and a prehistoric version of Acrobat. They use air gap Internet firewalls, the PCs have no CD's, the USB connectors are disabled, and MAC addresses are registered for use on specific segments. Zero infections since they disabled the USB connectors and put locks on the computer cases in 2005.

    The more you use the net the more vulnerable you are

    My mother uses XP for family & friends email only, she receives no spam, no infections over 7 years

    Over the past 10 years my sister has gone from Win 98->XP->Vista->Win7
    No matter what I do or say she gets infected 2-3 times a year
    She's inquisitive - ooh whats that, maybe I should get it - click. click, click
    Oh dear, now WMP won't play my music and youtube is broken
    ring, ring, Hello darling brother, my computer is broken :cry: Can I bring it over.

  7. #6
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,518
    Thanks
    152
    Thanked 1,397 Times in 1,220 Posts
    What I think is relevant and has been stated in article after article, as Robert Vamosi states here, is that keeping the OS updated is of the utmost importance, security wise. Any advice to the contrary, which we regularly read, even on the Lounge, seems irresponsible to me.

  8. #7
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Bozeman, MT
    Posts
    327
    Thanks
    2
    Thanked 3 Times in 3 Posts
    Robert Vamosi writes: "This past February, Microsoft released an update for the Windows XP and Windows Vista platforms that made Autorun work more like it does in Windows 7 — Autorun is enabled for CDs and DVDs, but not for thumb drives."

    What is meant by AutoRun with a thumb drive (USB stick)? I was under the impression AutoRun meant either the app on the device started automatically or Windows tossed up a dialog box for the device. That's because in XP, when everyone awhile back was warning about getting attacked via AutoRun, the hack or scripts to disable it turned off both possibilities.

    I would think that on USB sticks it's not as common to start an app automatically on plug in, vs. choosing what to do from the dialog box or a file manager. Last month I installed and thoroughly updated Win 7/32, then the same with Win 7/64 this month. After that, every time I plugged in a USB stick, a Windows box asking what I wanted to do came up for it. Wasn't that AutoRun? Since there's nothing labeled for USB stick among the many devices listed, I had to turn them off all to stop it. Not sure that I ever really figured out which one it was.
    Last edited by highstream; 2011-10-24 at 17:19.

  9. #8
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by highstream View Post
    Robert Vamosi writes: "This past February, Microsoft released an update for the Windows XP and Windows Vista platforms that made Autorun work more like it does in Windows 7 — Autorun is enabled for CDs and DVDs, but not for thumb drives."

    What is meant by AutoRun with a thumb drive (USB stick)? I was under the impression AutoRun meant either the app on the device started automatically or Windows tossed up a dialog box for the device. That's because in XP, when everyone awhile back was warning about getting attacked via AutoRun, the hack or scripts to disable it turned off both possibilities.

    I would think that on USB sticks it's not as common to start an app automatically on plug in, vs. choosing what to do from the dialog box or a file manager. Last month I installed and thoroughly updated Win 7/32, then the same with Win 7/64 this month. After that, every time I plugged in a USB stick, a Windows box asking what I wanted to do came up for it. Wasn't that AutoRun? Since there's nothing labeled for USB stick among the many devices listed, I had to turn them off all to stop it. Not sure that I ever really figured out which one it was.
    Your confusion seems to center around two different Windows features.

    Auto Play is the dialog which pops up asking you what to do with a USB drive when it is mounted into Windows. This was not the main source of the February, 2011 security alerts. When properly managed (Windows Vista or Windows 7 style) this is a safe feature. Provided you have applied all the relevant Windows Updates patches, that is.

    Auto Run is a feature where any program on a USB stick or CD used to be able to invoke any non-specific .dll file and run it as an executable program. The problem, as exemplified by Conficker B, was that the exact path to the .dll did not need to be specified by the Auto Run program. So, Conficker B could actually run its own installer from the same USB drive on which the Auto Run was initiated. This has been patched to disable the more general case, and allow only specified paths to execute from USB Auto Run programs. Some third-party software vendors, as well as Microsoft itself, had to rewrite their installers to specify the path to their real .dlls.

    My sister got the Conficker B infection on her netbook from a camera SD Card which had been used in a friend's infected computer. Neither person had applied the MS Updates patches which could have prevented this event.

    In any event, you do need to have both the Auto Play patch and several Auto Runs patches in order to be protected from unwanted software automatic installations. And you need to scan from time to time with an up to date antivirus program to make sure none of your Windows System Files or .dlls have been replaced with rogue versions (Aleureon and other exploits).

    Any currently patched Windows system with up to date virus protections should be safe from most of the February and later exploits. USB sticks will not be able to run many older Auto Runs, but updated CDs and DVDs will still be able to work as designed to install legitimate programs.

    A better explanation of what was happening and how it was mitigated can be found in this InfoPackets free content article, written at the time. Also of interest is this ComputerWorld article of the same period.

    But all you need to know is that a fully-patched installation of Windows 7, 32- or 64-bit, will behave as you have seen, and that this change is for your computer's protection. For each newly recognized device, you will have to tell Windows 7 what to do, but thereafter, the same device will do what you set it up to do until you change its predefined Auto Play setup. It can be an annoyance (like those UAC popups) but it is a necessary annoyance.
    Last edited by bobprimak; 2011-11-01 at 15:20.
    -- Bob Primak --

  10. #9
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Bozeman, MT
    Posts
    327
    Thanks
    2
    Thanked 3 Times in 3 Posts
    Thanks for the very helpful clarification. However, I do need to know more than being up to date with patches and anti-malware apps (which I always am). As I understand it now, the window that pops up when the USB stick is inserted is Auto Play. The problem in Windows 7 is that there is no USB-specific choice among the devices listed (Control Panel), so short of either going through them one by one or turning them all off, how does one turn off the pop up? It's not something I want to live with, anymore than I live with those UAC popups, which I turned off.

  11. #10
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    HERE are Microsoft's instructions for managing or turning on or off Autoplay, for one media type or globally for all media. The instructions say Vista, but Autoplay in Windows 7 is virtually identical.
    -- Bob Primak --

  12. #11
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Bozeman, MT
    Posts
    327
    Thanks
    2
    Thanked 3 Times in 3 Posts
    Quote Originally Posted by bobprimak View Post
    HERE are Microsoft's instructions for managing or turning on or off Autoplay, for one media type or globally for all media. The instructions say Vista, but Autoplay in Windows 7 is virtually identical.
    If you reply was meant for me, I suggest you read mine again, specifically the sentence that starts, "The problem in Windows 7..."
    Last edited by highstream; 2011-11-11 at 13:23.

  13. #12
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by highstream View Post
    If you reply was meant for me, I suggest you read mine again, specifically the sentence that starts, "The problem in Windows 7..."
    The Microsoft web page has expandable sections in it. One does indeed deal with specifying which types of inputs can or cannot run Autoplay. The instructions do apply to Windows 7. I've done this myself on my Toshiba Satellite not only for types of USB inputs, but for specific USB sticks and external drive letters, so that the Autoplay popup would not appear every time I plug in the device.
    -- Bob Primak --

  14. #13
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Bozeman, MT
    Posts
    327
    Thanks
    2
    Thanked 3 Times in 3 Posts
    To show you what I'm talking about, here's a screenshot of Win 7/64 AutoPlay settings. There's also a USB stick attached at the moment. You see the setting for it anywhere? I don't.

    Windows 7 AutoPlay settings.jpg

  15. #14
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,482
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by highstream View Post
    To show you what I'm talking about, here's a screenshot of Win 7/64 AutoPlay settings. There's also a USB stick attached at the moment. You see the setting for it anywhere? I don't.

    Windows 7 AutoPlay settings.jpg
    That's not how I make permanent rules. Every time a new device is plugged in, a popup (or several popups) will ask me what to do with the device (or its partitions). I can select "Do Nothing" and mark a checkbox to save the setting for future use with that device or partition. This method operates on a case by case basis. I have never found it to be necessary or productive to go any further and try to get rid of Autoplay altogether. So what follows is at best my educated guess.

    For the more general rules, I must confess I have never had occasion to reset the default actions. I think you would have to plug in each device for which permanent and general rules are to be set.

    Your image shows no devices attached, which is why you cannot set up any rules for the devices. But the media types should be available to set rules, as your image illustrates. This means that you can for example, allow or disallow autoplay for CDs or DVDs, and preset the actions to be taken by autoplay for these media types. Others can be set not to show autoplay (I think there's a Disable setting or a Do Nothing setting in the drop-down lists). The USB stick indeed does not show, which I do not understand.

    Beyond this, I will have to defer to other Loungers who do more fussing with Autoplay and UACs than I have found to be necessary.
    Last edited by bobprimak; 2011-11-15 at 13:37.
    -- Bob Primak --

  16. #15
    3 Star Lounger
    Join Date
    Dec 2009
    Location
    Bozeman, MT
    Posts
    327
    Thanks
    2
    Thanked 3 Times in 3 Posts
    "Take no Action" is a rule choice among a few to several. I've rarely found need for an AutoPlay prompt, and with USB sticks no matter what I chose in the AutoPlay popup, it still popped up next time (as I recall, that wasn't the case with XP). There's another reason for my choice: since I know when a USB stick is plugged in, turning AutoPlay off allows me to use a desktop link to bypass Win Explorer and open XYplorer to the directory I want to be in. Same usually with CD/DVDs. It's worked well, although AutoPlay did pop up the other night on a USB stick that I hadn't used for awhile. That's what makes me think there's more to this than meets the eye - or my guesses.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •