CSIS Security Group A/S released a report showing how Windows machines become infected with malware. It’s one of the questions we most frequently get asked when cleaning up a malware infection on a client machine. “How did this happen?” It’s a reasonable question. We make sure our clients have up to date anti-malware applications, inform them of safe computing habits, and yet they still sometimes end up with infections. The point of the CSIS research was to:
reveal precisely how Microsoft Windows machines are infected with the virus/malware and which browsers, versions of Windows and third party software that are at risk.
So the report details which browsers are infected and how often, which versions of Windows are infected and how often, as well as third party software (typically plugins but also some standalone applications) which are infected and how often. From a computer support perspective, this is invaluable because it allows those of us in IT to help clients make technology decisions in a more informed manner.
Chrome: Taking the Shine Off of Malware
The first graphic we run across shows the breakdown of browser infection rates. The immediate piece of information that grabs us is that Internet Explorer accounts for 66% of malware exploits on the tested systems in this report. That may seem alarming for IE users, but there is a very important point to consider here; Internet Explorer has several versions in use right now, most of them quite old and rife with exploitable security holes. IE6 is the worst offender here and likely the oldest version of IE you’re going to see, but it’s not as widespread as it used to be. IE7 is, sadly, still widely deployed mostly due to inertia from users who simply haven’t upgraded. IE8 marks a significant improvement in security and stability over its predecessors and represents the final version of IE that will be made available on Windows XP. IE9 is the most recent version of IE available and isn’t as widely deployed as its kin but is the most secure of the bunch. I wish the report had broken this out by version but given the improvements in IE9, I believe it can stand shoulder to shoulder with the other browsers that had fewer malware attacks in the report.
In any event, Firefox was the next most represented on the list at 21% followed by Chrome, Opera and Safari, each with less than 10%. Opera and Safari have far lower usage numbers than the other browsers and so can be expected to have fewer exploits directed at them. Chrome is approaching equivalent browser usage with Firefox but has a far lower number of exploits. And unlike the common refrain directed at Mac users, that their platform isn’t targeted because it’s not as popular, Chrome is cross platform and widely deployed. This puts a big feather in Chrome’s cap.
Windows 7: Wherefore Art Thou?
The next graphic shows the number of exploits by operating system. Since the whole report is focused on Windows exploits, we’re going to see things broken up exactly as we want, by version. The most noticeable thing we see is that Windows XP is at the heart of 41% of malware exploits. We’ve already discussed the fact that you really should not be running Windows XP. The fact that Windows XP is at the midst of the maelstrom of malware maleficence is not a surprise but is informative. The bigger surprise in my mind is the fact that Windows Vista accounted for 38% of malware vulnerabilities. Now bear in mind this is only indicative of the fact that this is the OS that was installed at the time of infection, not necessarily that the OS was the vulnerable point. Still, given Vista never had much of an uptake compared to XP, being panned as failure and quickly supplanted by Windows 7, to see Vista so high on the chart suggests it’s not a good alternative. We do find Windows 7 at 16% and given it’s finally overtaken Windows XP deployments, I think it’s fair to say Windows 7 represents a significant increase in security compared to its older siblings. The other operating systems listed (Windows 98, Windows 2000 and Windows 2003) aren’t worth mentioning because they are either very old and whatever was said about XP applies doubly or triply to them or they are a server OS (in the case of 2003) and have a different set of needs.
The takeaway here should be that if you are not on Windows 7 then… why not? It’s clearly the most secure desktop OS Microsoft has available right now and is going to be the best jumping off point for future support, updates and upgrades to Windows 8 when it becomes available. Do not walk, run. Go. It will be a big improvement and your IT support staff will thank you for it.
Did I Do That? Actual Malware Infection Points
In some respects the previous two sections represent incidental information. The infected machine happened to be using a certain browser or a certain OS. There are, of course, some things that those browsers and OS versions do to forestall malware attacks, but by and large the information above doesn’t necessarily correlate directly to actual vulnerabilities. For example, the sandboxing model used by current browsers means that many malware attack vectors simply won’t work, but if the user chooses to download malware through that browser and then run it, in spite of any warnings that might pop up, there’s nothing the browser can do to prevent that. So what’s actually going on?
To my own surprise, Java was the biggest reported application listed as offering a malware attack point. Why would you have it? Simple; many websites, including internal corporate apps, are written using Java applets, small applications that run inside the Java virtual machine in your browser. Because they are deployed through your browser, they can be installed centrally at a server and be updated in one location, allowing updates to flow automatically each time you run the applet. But they require the Java virtual machine software to be installed on any machine which will run the applet and that software can have vulnerabilities which need patching. You might have a small orange icon down in your system tray right now, waiting for you to click on it to apply Java updates. Have you been ignoring that? Remember, keeping your software updated is vitally important.
The next most common vulnerability was through Adobe’s Acrobat Reader and Acrobat software. This is the software that allows you to view (or in the case of the full version of Acrobat, create) PDF files. You know you can’t edit a PDF so how on earth can there possibly be a vulnerability there? It turns out a PDF file can contain scripts that, when you click on various portions of the PDF document, do different things. The scripting functionality in Adobe products is quite powerful and capable of manipulating your file system and interoperating with your OS and other applications. However, there are recent updates which have created a similar sandboxing model as I mentioned with the browsers above. This greatly limits how much interactivity such scripts can have with your machine, thus greatly reducing your exposure to security vulnerabilities through this software. Again, it becomes a matter of staying up to date with your software.
The third most common point of vulnerability was through Adobe’s Flash player. This is used to watch videos on sites such as Youtube, presentations by some artists, interactive content on websites and online games. It can provide a rich user experience but seems to be being phased out over time. Still it is widely deployed and while you can go without it, most users are likely to want it. The exploits in this case weren’t listed as being caused by known Flash vulnerabilities that have patches available, but Adobe does keep Flash regularly updated to patch up security holes as they are discovered and Flash runs in a sandbox as well as being sandboxed when run within modern browsers, so that should help limit vulnerabilities through this. But once again, it requires fully updated software to stay on top of this issue.
I was going to mention that the remaining vulnerabilities are individually less than 10% each of the exploits tracked, but I want to draw attention to one point. Internet Explorer happens to be the next vulnerable application listed at exactly 10%. Once again I wish the researchers had listed individual versions of IE, as I imagine that would show that IE9 and even IE8 have a better security record than this chart would imply. Still, the fact is that there are no other browsers which are listed as being the direct source of a vulnerability. Still, the specific IE related vulnerabilities listed in this section are as follows:
CVE-2006-0003 IE MDAC
CVE-2006-4704 Microsoft Visual Studio 2005 WMI Object Broker Remote Code Execution Vulnerability
CVE-2004-0549 ShowModalDialog method and modifying the location to execute code
Note that the IDs are in the format of CVE-YYYY-####, where YYYY is the year the exploit was discovered. Those dates are 2006 and 2004, rather old, suggesting older versions of the browser or subcomponents were at play. It’s not conclusive but seems indicative of problems with just older versions of IE, not with the newer versions.
In the end, what we see here is really a confirmation of what computer support professionals and IT staffers everywhere have been saying all along. Stay current on your software, keep up with updates, don’t let your computer become full of antiquated software riddled with vulnerabilities that have been fixed in more recent versions of the software. While it may seem to be the least expensive option to try to stick with older copies of software, in the end you are not only going to be forced to upgrade eventually as a matter of practicality, you’re going to be spending more in support costs than you saved by not upgrading in the first place as well as incurring additional downtime. Do yourself a favor and keep updated.