Coffeehouse Thread

24 posts

Vista: Clear, Confident, Connected, Compromised?

Back to Forum: Coffeehouse
  • User profile image
    fdisk

    Vista Vulnerable to a Third of Malware

    ComputerWorld wrote:
    Windows Vista is wide open to nearly 40% of the malware currently circulating, Microsoft has admitted, following a report by Sophos.

    Remarkably, with the new operating system just released to business, the software giant says in effect that there is nothing it can do about the threats in question -- Stratio-Zip, Netsky-D and MyDoom-O -- because they rely on social engineering to invade systems. The three threats together account for 39.7% of currently circulating malware, according to Sophos.

    Can anybody confirm this?

    Sad

  • User profile image
    julianbenja​min

    Confirm it how? 

    Anything that depends on "social engineering" is out of the OS company's hands, as the OS is not there to prevent you from doing things you want to do.  If you want to install a program that changes cursors and such, you can.  If that same program comes bundled with crap, then it gets installed and runs.  Anti-Spyware/AntiVirus software can only do so much.  It's the same on any OS out there; none of them prevent you from doing things if you really want to.

    This is nothing new, and will not go away as long as people insist on installing anything that tickles their fancy.

  • User profile image
    Lee_Dale

    Well if they rely on social engineering, i.e. conning people into clicking something they shouldnt, they what can protect againt them?

    I mean unless someone invented an OS without a UI, hmmm thats a thought, total lockdown!

  • User profile image
    dahat

    fdisk wrote:
    Can anybody confirm this?




    ComputerWorld wrote: there is nothing it can do about the threats in question -- Stratio-Zip, Netsky-D and MyDoom-O -- because they rely on social engineering to invade systems.
    Is that really surprising in the slightest?

    All MSFT and you and I can do is warn of potential issues with things like UAC or horror stories of what happens when you click Yes to everything... it is up to the user to decide if they want to shoot themselves in the foot.

  • User profile image
    Dr Herbie

    Oh look, an anti-virus company releasing a 'study' that says we're all going to get infected PCs. 
    What a surprise.

    Herbie

  • User profile image
    Minh

    Dr Herbie wrote:
    Oh look, an anti-virus company releasing a 'study' that says we're all going to get infected PCs. 
    What a surprise.

    Herbie
    But just because I'm paranoid, it doesn't mean they're not after me.

    But social engineering isn't something many people are looking at using technology to fix. There's definitely something we can do about it. IE7's list of phishing sites is a start. There should be more. UAC for the web?

  • User profile image
    Cybermagell​an

    Dr Herbie wrote:
    Oh look, an anti-virus company releasing a 'study' that says we're all going to get infected PCs. 
    What a surprise.

    Herbie


    Really....though I can confirm this from experience.

    Humans are idiots

    BTW: Phishers can get your credit card more easily on Vista than XP if you TYPE IT IN THEIR DAMN WEBSITE!!!

    I think the title of this post needs to be

    "I was bored and needed to do something, so I posted crap"

  • User profile image
    Cybermagell​an

    thumbtacks wrote:
    
    fdisk wrote:Can anybody confirm this?
    Confirm it...how? By trying to have users purposely install these malware programs on a Vista system? To prove what? If you are trying to imply that somehow Microsoft isn't making an effort on this front, you're misguided. No complicated piece of equipment or software is completely foolproof and your lack of knowledge on this subject is really starting to show now.


    QFT

    This is like saying that user prompted ActiveX is a problem for users. If you go to a site that tells you to enable ActiveX and click on "OK" to install it and you do...is it Microsofts fault?

    This is like saying the railroad company is at fault for you driving through their barricades as a train comes through.

    "The trains should stop faster"
    "The trains should be made out of nerf materials"
    "The barricades should be made out of rubber so you bounce off of them"

    Man I hate humans.

  • User profile image
    PerfectPhase

    Out of intreast I wounder how many UAC prompts there are to install any of these?

  • User profile image
    Larry​Osterman

    fdisk wrote:
    Vista Vulnerable to a Third of Malware

    ComputerWorld wrote: Windows Vista is wide open to nearly 40% of the malware currently circulating, Microsoft has admitted, following a report by Sophos.

    Remarkably, with the new operating system just released to business, the software giant says in effect that there is nothing it can do about the threats in question -- Stratio-Zip, Netsky-D and MyDoom-O -- because they rely on social engineering to invade systems. The three threats together account for 39.7% of currently circulating malware, according to Sophos.

    Can anybody confirm this?


    My personal favorite part of the article:
    ComputerWorld wrote:

    While the email system built into Vista, Windows Mail Client, stops all of the top 10 viruses identified by Sophos for November, the three threats outlined can infect systems when a third-party email client is used, Sophos said last week. Stratio-Zip was November's top malware, accounting for one-third of virus traffic, says Sophos.


    So Vista's built-in email programs are immune to those threats - it identifies them and blocks them, but if you use 3rd party apps can be used to attack Windows.

    And that makes Vista vulnerable to the threats.

  • User profile image
    Minh

    Cybermagellan wrote:
    

    This is like saying that user prompted ActiveX is a problem for users. If you go to a site that tells you to enable ActiveX and click on "OK" to install it and you do...is it Microsofts fault?

    Yes, it is MS's fault -- because when MS made ActiveX controls available to IE, they made a perfect distribution system for malware, spyware, virus. All that stood between a user and total infection is one click of a button.

    And safer alternatives existed at the time. Java applets were much safer because of the things they can't do. MS wanted a piece of the connected apps pie & didn't have the development time & released a pretty horrible combination of unmanaged code & the pipe to run it to milions of desktops.

    So, um, yes, it is Microsoft's fault.

  • User profile image
    PaoloM

    Minh wrote:
    
    Cybermagellan wrote: 

    This is like saying that user prompted ActiveX is a problem for users. If you go to a site that tells you to enable ActiveX and click on "OK" to install it and you do...is it Microsofts fault?

    Yes, it is MS's fault -- because when MS made ActiveX controls available to IE, they made a perfect distribution system for malware, spyware, virus. All that stood between a user and total infection is one click of a button.

    And safer alternatives existed at the time. Java applets were much safer because of the things they can't do. MS wanted a piece of the connected apps pie & didn't have the development time & released a pretty horrible combination of unmanaged code & the pipe to run it to milions of desktops.

    So, um, yes, it is Microsoft's fault.

    Sorry, no. While it's obvious that the initial implementation left much to be desired (and was fixed years ago), the concept of a browser extensible architecture via plugins was already pretty much accepted by the time IE2 came out.

    The difference between the ActiveX-based extension mechanism and, say, Netscape's NSPlugins was that ActiveX didn't require you to restart the browser and the session.

    Every modern browser on every platform has the same area of attack today. If a website tricks you into downloading and executing random code, you are, as we say, SOL.

    Actually, IE7 - with its phishing filter - is a lot more secure than Safari or Firefox in this regard.

  • User profile image
    stevo_

    This is designed to sound like Vista is less secure than XP?

    Truth? no, if anything, this says to me that in one foundation step MS has crippled 60% of the malware out there already.

  • User profile image
    Minh

    PaoloM wrote:
    
    The difference between the ActiveX-based extension mechanism and, say, Netscape's NSPlugins was that ActiveX didn't require you to restart the browser and the session.

    I'm not at all familiar with how plugins work -- if they allow arbitrary native code execution, then, that's pretty horrible also. So, the plugin mechanism pre-dates Java applets & ActiveX controls, right? I supposed a hacker could've targeted plugins or ActiveX, but ActiveX can be created w/ VB, eh?

  • User profile image
    Sven Groot

    Minh wrote:
    I'm not at all familiar with how plugins work -- if they allow arbitrary native code execution, then, that's pretty horrible also. So, the plugin mechanism pre-dates Java applets & ActiveX controls, right?

    Indeed, and it still exists today. How do you think Firefox is able to use Flash?

  • User profile image
    PaoloM

    Minh wrote:
    I'm not at all familiar with how plugins work -- if they allow arbitrary native code execution, then, that's pretty horrible also. So, the plugin mechanism pre-dates Java applets & ActiveX controls, right?

    Java applets run via a plugin. In that case, the native code executed is the JRE. A plugin is by definition able to execute native code, how else would it run?
    Minh wrote:
    I supposed a hacker could've targeted plugins or ActiveX, but ActiveX can be created w/ VB, eh?

    Yes, ActiveX can be created with any COM-compliant language, and that includes VB.

    And there are plenty of vulnerabilities targeting non-ActiveX plugins, on pretty much any browser.

  • User profile image
    Minh

    Sven Groot wrote:
    
    Indeed, and it still exists today. How do you think Firefox is able to use Flash?


    PaoloM wrote:

    Java applets run via a plugin. In that case, the native code executed is the JRE. A plugin is by definition able to execute native code, how else would it run?


    Sometimes I wish to remain ignorant. I don't really need to know that they put pig snouts in hot dogs, you know?

    Coincidentally, Java & Flash are 2 managed "environments" that would be pretty safe to expose to the browser. Maybe some day, HTTP will only be used for mark-ups & XMLRequest calls.

  • User profile image
    PaoloM

    Minh wrote:
    
    Sven Groot wrote: 
    Indeed, and it still exists today. How do you think Firefox is able to use Flash?


    PaoloM wrote:
    Java applets run via a plugin. In that case, the native code executed is the JRE. A plugin is by definition able to execute native code, how else would it run?


    Sometimes I wish to remain ignorant. I don't really need to know that they put pig snouts in hot dogs, you know?

    LOL Smiley

    Yes, you're right Wink

    Minh wrote:
    Coincidentally, Java & Flash are 2 managed "environments" that would be pretty safe to expose to the browser. Maybe some day, HTTP will only be used for mark-ups & XMLRequest calls.

    I wish... there are many ways to access so-called "dynamic content", and the web browser is not the best of them all the time.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.