Vista: Clear, Confident, Connected, Compromised?

Vista Vulnerable to a Third of Malware

ComputerWorld wrote:

Windows Vista is wide open to nearly 40% of the malware currently circulating, Microsoft has admitted, following a report by Sophos.

Remarkably, with the new operating system just released to business, the software giant says in effect that there is nothing it can do about the threats in question -- Stratio-Zip, Netsky-D and MyDoom-O -- because they rely on social engineering to invade systems. The three threats together account for 39.7% of currently circulating malware, according to Sophos.

Can anybody confirm this?

Confirm it how? 

Anything that depends on "social engineering" is out of the OS company's hands, as the OS is not there to prevent you from doing things you want to do.  If you want to install a program that changes cursors and such, you can.  If that same program comes bundled with crap, then it gets installed and runs.  Anti-Spyware/AntiVirus software can only do so much.  It's the same on any OS out there; none of them prevent you from doing things if you really want to.

This is nothing new, and will not go away as long as people insist on installing anything that tickles their fancy.

Well if they rely on social engineering, i.e. conning people into clicking something they shouldnt, they what can protect againt them?

I mean unless someone invented an OS without a UI, hmmm thats a thought, total lockdown!

Oh look, an anti-virus company releasing a 'study' that says we're all going to get infected PCs. 
What a surprise.

Herbie

Dr Herbie wrote:

Oh look, an anti-virus company releasing a 'study' that says we're all going to get infected PCs. 
What a surprise.

Herbie

But just because I'm paranoid, it doesn't mean they're not after me.

But social engineering isn't something many people are looking at using technology to fix. There's definitely something we can do about it. IE7's list of phishing sites is a start. There should be more. UAC for the web?

Dr Herbie wrote:

Oh look, an anti-virus company releasing a 'study' that says we're all going to get infected PCs. 
What a surprise.

Herbie

Really....though I can confirm this from experience.

Humans are idiots

BTW: Phishers can get your credit card more easily on Vista than XP if you TYPE IT IN THEIR DAMN WEBSITE!!!

I think the title of this post needs to be

"I was bored and needed to do something, so I posted crap"

thumbtacks wrote:



fdisk wrote:Can anybody confirm this?

Confirm it...how? By trying to have users purposely install these malware programs on a Vista system? To prove what? If you are trying to imply that somehow Microsoft isn't making an effort on this front, you're misguided. No complicated piece of equipment or software is completely foolproof and your lack of knowledge on this subject is really starting to show now.

QFT

This is like saying that user prompted ActiveX is a problem for users. If you go to a site that tells you to enable ActiveX and click on "OK" to install it and you do...is it Microsofts fault?

This is like saying the railroad company is at fault for you driving through their barricades as a train comes through.

"The trains should stop faster"
"The trains should be made out of nerf materials"
"The barricades should be made out of rubber so you bounce off of them"

Man I hate humans.

Out of intreast I wounder how many UAC prompts there are to install any of these?

Cybermagellan wrote:



This is like saying that user prompted ActiveX is a problem for users. If you go to a site that tells you to enable ActiveX and click on "OK" to install it and you do...is it Microsofts fault?

Yes, it is MS's fault -- because when MS made ActiveX controls available to IE, they made a perfect distribution system for malware, spyware, virus. All that stood between a user and total infection is one click of a button.

And safer alternatives existed at the time. Java applets were much safer because of the things they can't do. MS wanted a piece of the connected apps pie & didn't have the development time & released a pretty horrible combination of unmanaged code & the pipe to run it to milions of desktops.

So, um, yes, it is Microsoft's fault.

Minh wrote:



Cybermagellan wrote:  This is like saying that user prompted ActiveX is a problem for users. If you go to a site that tells you to enable ActiveX and click on "OK" to install it and you do...is it Microsofts fault?

Yes, it is MS's fault -- because when MS made ActiveX controls available to IE, they made a perfect distribution system for malware, spyware, virus. All that stood between a user and total infection is one click of a button.

And safer alternatives existed at the time. Java applets were much safer because of the things they can't do. MS wanted a piece of the connected apps pie & didn't have the development time & released a pretty horrible combination of unmanaged code & the pipe to run it to milions of desktops.

So, um, yes, it is Microsoft's fault.

Sorry, no. While it's obvious that the initial implementation left much to be desired (and was fixed years ago), the concept of a browser extensible architecture via plugins was already pretty much accepted by the time IE2 came out.

The difference between the ActiveX-based extension mechanism and, say, Netscape's NSPlugins was that ActiveX didn't require you to restart the browser and the session.

Every modern browser on every platform has the same area of attack today. If a website tricks you into downloading and executing random code, you are, as we say, SOL.

Actually, IE7 - with its phishing filter - is a lot more secure than Safari or Firefox in this regard.

This is designed to sound like Vista is less secure than XP?

Truth? no, if anything, this says to me that in one foundation step MS has crippled 60% of the malware out there already.

PaoloM wrote:


The difference between the ActiveX-based extension mechanism and, say, Netscape's NSPlugins was that ActiveX didn't require you to restart the browser and the session.

I'm not at all familiar with how plugins work -- if they allow arbitrary native code execution, then, that's pretty horrible also. So, the plugin mechanism pre-dates Java applets & ActiveX controls, right? I supposed a hacker could've targeted plugins or ActiveX, but ActiveX can be created w/ VB, eh?

Minh wrote:

I'm not at all familiar with how plugins work -- if they allow arbitrary native code execution, then, that's pretty horrible also. So, the plugin mechanism pre-dates Java applets & ActiveX controls, right?

Indeed, and it still exists today. How do you think Firefox is able to use Flash?

Minh wrote:

I'm not at all familiar with how plugins work -- if they allow arbitrary native code execution, then, that's pretty horrible also. So, the plugin mechanism pre-dates Java applets & ActiveX controls, right?

Java applets run via a plugin. In that case, the native code executed is the JRE. A plugin is by definition able to execute native code, how else would it run?

Minh wrote:

I supposed a hacker could've targeted plugins or ActiveX, but ActiveX can be created w/ VB, eh?

Yes, ActiveX can be created with any COM-compliant language, and that includes VB.

And there are plenty of vulnerabilities targeting non-ActiveX plugins, on pretty much any browser.

Sven Groot wrote:


Indeed, and it still exists today. How do you think Firefox is able to use Flash?

PaoloM wrote:

Java applets run via a plugin. In that case, the native code executed is the JRE. A plugin is by definition able to execute native code, how else would it run?

Sometimes I wish to remain ignorant. I don't really need to know that they put pig snouts in hot dogs, you know?

Coincidentally, Java & Flash are 2 managed "environments" that would be pretty safe to expose to the browser. Maybe some day, HTTP will only be used for mark-ups & XMLRequest calls.

Minh wrote:



Sven Groot wrote:  Indeed, and it still exists today. How do you think Firefox is able to use Flash?

PaoloM wrote: Java applets run via a plugin. In that case, the native code executed is the JRE. A plugin is by definition able to execute native code, how else would it run?

Sometimes I wish to remain ignorant. I don't really need to know that they put pig snouts in hot dogs, you know?

LOL

Yes, you're right

Minh wrote:

Coincidentally, Java & Flash are 2 managed "environments" that would be pretty safe to expose to the browser. Maybe some day, HTTP will only be used for mark-ups & XMLRequest calls.

I wish... there are many ways to access so-called "dynamic content", and the web browser is not the best of them all the time.