Considering its wide-spread news coverage, I’m sure everyone is aware of the latest Internet Explorer bug. For the uninitiated, a security company discovered that a previously unknown bug in Internet Explorer was being used in a targeted hacking attack. This flaw allowed a computer to be infected with malware simply by visiting a compromised website. While a bug like this can be alarming, it really isn’t anything new. Such flaws are regularly exposed in web browsers (not only in Internet Explorer). So, what caused this attack to hit the mainstream press like it did? The Department of Homeland Security.
FireEye Security first discovered the attacks targeting Internet Explorer. The Department of Homeland Security then picked up on this and published an advisory in which they recommended that users temporarily use alternative web browsers. This recommendation was unusual, especially coming from such an influential group. The media immediately picked up on this out-of-the-ordinary guidance, and ran with it. As Adrienne Hall, the general manager of Microsoft’s trustworthy computing division, stated in her blog post, the media’s reaction to the bug in IE was overblown.
The bug, itself, was nothing new in the world of computers. Flaws that allow malware infection through no action on the part of the end user have been an all-too-common occurrence. The real story became Homeland Security’s recommendation to not use Internet Explorer. Of course, once a user switches away from Internet Explorer, say to Google Chrome or Mozilla Firefox, they’re unlikely to ever go back. A huge blow to Microsoft; a huge boon to every other web browser developer.
As I said before, the bug was overblown. First, the bug allowed attackers to only gain the same rights as the user operating the computer. If the user is running without admin rights (as all users should), then any malware gaining access to the computer would be refused admin rights as well. Attacks that allow the escalation of privileges, providing the malware with full admin rights, are much more dangerous. Don’t get me wrong, malware can still inflict damage without admin rights; it just isn’t as bad as it could be.
Second, the malware exploiting the IE bug was used in only a few, highly targeted attacks. Essentially, some attacker discovered and used this previously unknown flaw in IE to attack a single company, or sector of companies. This attack was put together by a highly skilled group with a singular purpose. They sought access to a single company, not the Internet as a whole. The risk to an average user always remained low, as they were never the attacker’s target.
Finally, this new IE bug hit very shortly after the end of Windows XP’s support. Many have been dreading the end of XP’s support, as it signals the end of security patches for the retired OS. Without security patches, anyone still running XP will become more and more at risk as time goes by. Flaws in XP are likely to be discovered for years to come, and fixes will never come. So, this bug quickly came to be seen as the first unpatched flaw in XP, immediately turning XP into a high-risk OS.
Bug = Fixed
Microsoft was quick to jump on finding a fix for the flaw in Internet Explorer. They had no choice, really, as they were under tremendous media pressure to get the bug fixed. It had to be pretty painful to watch all of their users run to other web browsers. Typically, Microsoft releases security patches on the second Tuesday of every month. In this case, they pushed out an “out-of-band” patch. Meaning, they quickly got a fix ready, then pushed it out as soon as possible, instead of waiting until the next second Tuesday. Details regarding the fix can be found here.
In a move that surprised many, Microsoft released a fix for Windows XP, as well. XP support ended just a few weeks before this new bug, and the press was already jumping on that fact. So, it only made sense for MS to push out at least one more XP patch. Do not expect this to continue, though. If you’re still running Windows XP, you really need to upgrade to Windows 7 or 8.
8 Ways to Protect Yourself in the Future
This bug is now behind us, but the story doesn’t end there. There are a few simple things you can do to minimize your risk of falling prey to a security flaw. By following these 8 “best practices”, you can remove some of the worry typically associated with the malware floating around the Internet (though you should always be wary). Many of these suggestions gained increase importance when this bug hit, but they aren’t new; they’ve always been good ideas.
1. Get Off Windows XP
Seriously. If you’re running Windows XP, you need to upgrade. You may be able to upgrade your existing computer to Windows 7 or 8. The upgrade won’t be simple, though, as you will have to a do a fresh install of Windows. You won’t be able to do an in-place upgrade from Windows XP to 7+. An in-place upgrade leaves your files and software mostly intact, while upgrading the OS. So, make sure to backup all of your files and software before upgrading. Many users will find it easier to buy a whole new system. New systems are cheaper than ever, especially for those who only use their computer for web browsing and e-mail. In fact, such users may be better off with a tablet.
Microsoft has a few tools available to help XP users check if their computer is compatible with Windows 7 and 8. These tools will analyze your system and report back a list of hardware and software that will (or won’t) work on the newer OSes.
2. Get Off Internet Explorer
Lack of central management for alternative browsers makes it difficult to deploy anything other than Internet Explorer in the Enterprise environment, but at home (or even in small businesses), making the switch is simple and essential.
At this point, IE is a pretty solid and secure web browser. The technology driving IE has improved greatly over the years, and in many ways, it’s just as secure as the other browsers out there. What makes IE a greater risk than the others is the simple fact that hackers focus most of their energy on finding ways to break it. Why? Two reasons: 1) Though its numbers are dwindling, IE continues to be the browser of choice for the majority of Internet users. 2) Those still using IE are less likely to be tech savvy; they’re more likely to falls for hacks, scams, etc. Other browsers (Firefox, Chrome, Safari, etc.) have proven to be just as hackable as IE; they’re just not targeted as often.
When a vulnerability crops up in a browser, the time it takes to fix the flaw makes all the difference. Although Microsoft has come a long way over the years (this latest flaw only took two weeks to fix, for example), they remain a bit slow in fixing bugs. Firefox and Chrome, with their automatic updates and quick response times, excel in this area. Safari, Apple’s browser, is painfully slow to fix pretty much anything. Apple just doesn’t seem to have the proper systems in place to respond to bugs in a quick and efficient manner. Their software has rarely been targeted, so they haven’t had much need to improve their processes.
So, what does this all boil down to? Switch to Firefox or Chrome! They’re targeted less often, quicker to respond when they are targeted, and more proactive in making sure their software is secure to being with. If you’re looking for a browser that just works, with little to no maintenance needed on your part, go with Chrome. If you’re interested in supporting a company that is dedicated to the future of the Internet and its users, instead of the future of their shareholders, go with Mozilla Firefox. Regardless of your choice, the switch should be simple. Download and install your new browser and it will walk you through the process of transferring over your settings from Internet Explorer. Done deal.
3. Secure Your System
I know, I know, you’ve heard it all before. Run anti-virus, regularly scan for malware, etc. Well, you’re hearing it again. In lieu of making software recommendations, I’ll simply refer you to one of my past articles:
If you can afford to pay for security software, then by all means, do so. While the free alternatives will often do the job, let’s face it, you get what you pay for.
4. Keep Your Operating System Up-To-Date
The most important step a Windows user can take in keeping their system secure is to regularly install Windows Updates. This is the primary mechanism used by Microsoft to distribute security updates to the masses. New updates are usually released on the second Tuesday of every month, but when necessary, Microsoft will release updates outside of this schedule. That is what was done when they released the fix for the latest IE bug.
The best choice for the average Windows user is to simply enable automatic updates. When enabled, Windows will automatically download and install updates, as they become available. To enable automatic updates, follow Microsoft’s directions. If your version of Windows is not automatically selected, then manually choose your OS via the drop-down to the right of the article’s title.
Remember what I said about getting off of Windows XP, what with it no longer being supported by Microsoft? Microsoft fixed one nasty bug on IE, but they probably won’t do that again, in the future. Well, for those who need to stay on XP, a workaround does exist. I’m hesitant to share this information, as I really don’t want to encourage the continued use of XP, but in the interest of keeping XP users safe…
Ars Technica has a good article on the hack, and ZDNet has directions. The gist of it is that, while Microsoft has officially ended support of XP, they actually continue to create security updates for the outdated OS. A number of larger entities have invested a lot of money in XP, and as long as they continue to pay for XP support, Microsoft will keep creating patches for them. Microsoft also continues to create patches for special embedded versions of XP. This is the version of the OS that you’ll find on cash registers, ATMs, etc. This special version of the OS is slated to receive support until 2019.
By tweaking your registry, you can trick Windows Update into thinking you’re running the special, embedded version of Windows XP. This hack should allow you to continue to receive security updates; at least for the time being. Be warned: no one knows for sure how long the workaround will work, or whether the updates will cause problems on normal copies of Windows XP. This trick should really be used as a stopgap measure, only.
5. Keep Your Software Up-To-Date
Windows users are lucky to have Windows Update at their disposal. Microsoft releases security updates every month, and those updates are then automatically downloaded and installed on millions of computers around the world. Updates to the operating system are just one part of the update puzzle, though. One must also make sure to keep the rest of the software on their computer current and up-to-date.
For Windows users, there are three primary pieces of software to keep an eye on. Adobe Flash, Adobe Reader, and Java. These software packages are nearly ubiquitous; most users have them installed on their computers. Since most Windows users have these programs installed, malware writers frequently target them in their attacks. In fact, many of the worst, most damaging attacks rely on the presence of Adobe Flash, specifically. The virus this article started with is one such attack.
So, how do you keep your software up-to-date? Enable automatic updates whenever possible. Some software will install updates as they become available, while other software will prompt you when an update is ready. If you get an update prompt from a piece of software, then read the message and install the update. Do not simply ignore the message, or treat it as annoyance.
Not all programs will have automatic update mechansims. Some will require that you manually run an update check. Update tools are usually found under the Help menu. If you don’t see any such tool, check the program’s website to determine the best method for updating.
Here are some details, straight from the software creators, regarding the update mechanisms in the big 3 software packages:
In addition to using the update mechanisms built in to your various programs, I recommend the use of Secunia PSI. This software constantly monitors the software on your computer, and alerts you when an update is available. For more information and download links, see my previous article:
6. Be Skeptical
Over the years, there have been very few viruses that are able to just randomly find and infect computers. For the most part, you have to do something to get infected. It could be as simple as visiting a bad website, but you still had to find your way there. So, the number one protection against infection? Be skeptical.
Emails are particularly risky. If you receive an email from a sender you’re not familiar with, do not click any links. 9/10 times, the link will lead to a virus. If you receive an email from someone you are familiar with, but the email seems out of the ordinary (random gibberish, nothing but a link, etc.), then again, don’t click any links.
See a really interesting article floating around Facebook? Maybe something about the president running for a 3rd term? The cancellation of your favorite TV show, perhaps? Do you know why that article headline is so enticing? Because they want to entice you into clicking. This is their business. The more computers they infect, the more money they make.
7. Be a Detective
I recently came across a great example of a scam email. Take a look:
From: fax [mailto:firstname.lastname@example.org]
Subject: You’ve received a new fax
New fax at SCAN0426818 from EPSON by https://domainname.com
Scan date: Thu, 5 Jun 2014 10:53:14 -0500
Number of pages: 2
Resolution: 400×400 DPI
You can download your fax message at:
(Dropbox is a file hosting service operated by Dropbox, Inc.)
While convincing, there are a number of ways to deduce that this email isn’t legit. Unfortunately, some of my users fell for this message. Luckily, the link was already dead by the time it hit our systems.
- The email says it was sent by an EPSON machine. Many business have copiers that are able to send scans and faxes via email, so many will find emails like this to be familiar. Does your company have an EPSON printer? If your files typically come from a RICOH or a CANON, then EPSON should throw up an alarm.
- The email includes a link to a file on Dropbox. Do you use Dropbox? More importantly, does your company use Dropbox? Have you ever received an email with a scan or fax that required you download your file from any external file service, let alone Dropbox? Seems like a red flag, to me.
- Was your email address on the TO line, or were you BCCd? Does it make sense for any service like this to BCC you? Probably not.
- Have you ever received legit faxes via email? This email expects you to be familiar with some sort of fax retrieval system. If your company had such a system, then you would probably be aware of it. At the very least, there would have been some sort of announcement email about any new systems.
- If you have received faxes via email before, then does this email look like others you’ve received? Probably not.
These examples of deduction, though specific to this email, could apply to any email or website. Question what you see, and look for red flags. That is the absolute best method of protecting yourself.
8. Avoid Dark Alleys
One can compare the risk of malware infection to the risk of being mugged. Where are you more likely to be mugged? Walking down main street during the middle of the day on a bright and sunny Saturday, or heading down that dark alley at a little past midnight?
Stick to big, familiar websites, and you’ll rarely run into a problem. That massive corporate entity doesn’t gain much from infecting your computer. The risk to their reputation if you do get infected by them gives them a lot of incentive to keep their systems secure. Decide to try and make your way through the more nefarious portions of the Internet? You’re just asking for trouble. I’m sure you’re tempted by what’s down that alley, but is it worth it? That’s for you to decide, I guess.
In the End…
…the Internet is a wild and untamed place. The latest security risk is just around the corner. All you can do is try your best to stay safe and secure. Unfortunately, almost everyone will get hit by a virus at some point in their life. Some viruses are relatively benign, while others will completely wipe out your system. Keep backups! If you do lose everything, at least you’ll have a backup to restore from.