Russ Harvey Consulting - Computer and Internet Services

Vulnerabilities in Windows

Update Windows | Windows Alternatives | ActiveX

Vulnerabilities in Windows.

All Windows Versions are Vulnerable

Like the obsolete skeleton key, the security in Windows appears to protect you, but it cannot deal with a determined attack without some external help.

Designed for ease-of-use rather than security, all versions of Microsoft Windows are vulnerable.

Legacy Windows MORE Vulnerable

The zero-day exploits that have already been patched in currently-supported versions of Windows make legacy (unsupported) Windows versions even more vulnerable. When the exploits are patched in current versions legacy versions with the same vulnerability are exposed without the benefit of an update to patch the issue.

Beware of the Human Factor

People are too trusting of any warning that appears on their computer, particularly when visiting websites with their browser.

Example: “I Love You” Virus

James Gleick illustrated this human factor in an article discussing some of the Windows vulnerabilities exploited by the “I Love You” virus. We are more likely to open an email (or click on a advertising link) that appeals to our need for approval or caters to our fears.

Facebook has used this fear of missing something and innate human curiosity to exploit users with obfuscated links to ads that promote fake news while totally ignoring their own responsibility in the matter.

Fake Virus Warnings

Virtually all notices that suddenly appear on your screen warning about dozens or hundreds of infections on your computer are probably scamming you into downloading a genuine infection or selling you a bogus service. Never call any listed phone number.

Virtually all popup warnings that won't go away or warnings about dozens or hundreds of vulnerabilities on your computer are scams. It is difficult for many users to determine what a “legitimate” site looks like.

What folks need to do is to learn how their installed security software reacts to a genuine threat. Anything else is then a threat in itself rather than a warning about any real danger.

No, It's Not Microsoft Phoning You

If you receive a phone call telling you that your computer is at risk, hang up.

They are NOT Microsoft (or anyone legitimate) NOR are they trying to help you. Their goal is to scam you into:

  • divulging information about your computer;
  • providing malicious access your computer;
  • open an exploitive website using your browser; or
  • providing your credit card information for the "help" you're given.

Your best solution is to simply hang up.

Educate Yourself About the Risks

My Recommended Windows Software lists software I recommend for my clients. The Computer & Internet Security pages will teach you how to protect yourself and your family while online.

Guard Physical Access to Your Computer

Anyone with physical access to your computer can make changes to Windows or visit areas on the Web that pose a risk to your computer. That physical access can be through malicious software on a removable storage device or by giving a person access to your computer (including remote access).

Computer systems have been exploited by mailing CDs or leaving USB thumb drives in a company parking lot. Someone is going to plug them into their computer and release whatever troublesome gremlins they contain!

Be sure to take care when choosing someone to work on your computer and do not allow your children (or their friends) unsupervised access to your computer.

Windows "Ease-of-Use" is a Trade-off

Windows was built to be easy to use, with security apparently a casual afterthought — at least in versions earlier than Vista. The trade-off is between security and ease of use.

Consider the following analogies when deciding that "easier is better" in your computing experience:

Vehicle Analogy

Using Internet Explorer in Windows is like leaving your car parked downtown overnight with the doors unlocked, the windows rolled down and the keys in the ignition, then wondering why your car is gone in the morning.

Installing updates and alternatives to programs built into Windows is inconvenient, but consider why your car has those inconvenient locks and seat belts. Cars once had neither, yet they are now universally installed — for a very good reason.

Apartment Analogy

The front door key to an apartment building is the same for everyone. What if the building supervisor provided the same key for every apartment and allowed you to think that your apartment key was unique? Access for maintenance would be easier, but your unit's physical security would be severely compromised.

Microsoft Interoperability

Similarly, various Windows components and Microsoft Office products are highly integrated, making everything function smoothly. Because of that interoperability, weaknesses in one program (or component) can quickly spread to others.

For example, vulnerabilities in Internet Explorer spread to Outlook because components of IE were used to display the HTML (or “enhanced”) email content. Microsoft “fixed” this by making MS Word responsible for the HTML content.

I recommend using email programs and web browsers that don't integrate with Windows to prevent transferring that weakness.

The Dangers of Administrator Privileges

Most Windows computers only have one account that runs with full administrator privileges. Lesser accounts are available, but are difficult for most users to manage.

Most Linux users are much more aware of these dangers and tend to create a separate user account from the administrator account. Changes to the system require the administrator's password, even in the basic Linux install.

At the very least, you should provide only limited access accounts for your children and ensure that the Administrator accounts are protected by decent passwords.

User Account Control

Windows Vista's User Account Control (UAC) became known for its intrusive nature. Windows 7 is somewhat less intrusive but allows the user to choose a lesser level of security. Reducing your security level leaves you more vulnerable because this is like deciding to buckle up your seat belt after you are in a serious car collision.

While Windows is less secure than Linux this allows for easier installs, upgrades and exchange of information. Recent versions of Linux provide a much easier interface, even for beginners.

Vulnerabilities Are Relative

In addition to Windows, Linux and Mac also have vulnerabilities, as do browsers, email and other programs.

Be wary of comparisons of how many vulnerabilities rather than the severity of the security breach. One serious system-wide vulnerability can be much more dangerous than dozens of small potential weaknesses.

Always Install Windows Critical Updates

Windows Update improves the security of your Windows system. To protect yourself from many of these vulnerabilities make sure you have the latest security patches for Windows and Office products you have installed.

  • Windows 7 and the now-unsupported Vista users will find Windows Update in the Control Panel (open the Control Panel then select Windows Update).
  • Windows 10 users should click on Settings then Update & Security. Click on Check for updates to see what updates are available.

Unfortunately, Microsoft used the Windows Update as a means to move unsuspecting Windows 7 and 8 users into Windows 10. As a result, many turned off Windows Update completely, leaving themselves vulnerable to many zero-day vulnerabilities (known but unpublished vulnerabilities) that have been patched.

If you turned off Windows Update because of the underhanded way Microsoft went about tricking Windows 7 and 8 users into moving to Windows 10, that threat is no longer present and you should restore the default settings to update automatically.

Microsoft has no one but themselves to blame for folks that abandoned Windows and moved to either mobile devices or computers running Linux and macOS.

Uninstall Unused or Unsupported Software

Uninstall unused or obsolete (unsupported) software. This removes potential vulnerabilities (or actual vulnerabilities in the case of unsupported software).

One of the disturbing issues in Windows is that some of the embedded software creates its own entry points for problems such as Internet Explorer.

Is Your Computer Mission Critical?

Microsoft tends to run all their updates once a month on “patch Tuesday.” The downside to this is that some updates in large batches can create problems (thankfully, relatively rare).

For this reason, some administrators of “mission critical” systems wait to find out if there are problems with patches before updating. This is not recommended for home users because downtime due to such problems are an inconvenience, not something that will put lives or critical systems in jeopardy.

Weekly Maintenance Routine

Updates should be part of your weekly maintenance routine. You should maintain the updates to Internet Explorer (IE) even if you use another browser since IE is so tightly integrated into the Windows operating system.

As well as updates to Windows, you should be checking your other security software (firewalls, antivirus and anti-spyware software) as well as updates for all the programs on your computer.

Daily Security Software Updates a Bare Minimum

You should be updating your security software at least daily — I recommend that you update several times a day. In the case of a serious attack, hourly updates may save your programs and data from ruin.

A 2004 study conducted by Symantec, best know for Norton Antivirus, determined that the time from release of a patch and the release of malicious code to exploit it is was only 5.8 days. At that time, weekly updates were a bare minimum. I assure you that the Internet has only become less friendly since then.

Windows Critical Updates

Windows has a Windows Critical Updates notification/installation utility. Most users should use Automatic Windows Updates.

I'd suggest at least being notified and install them as soon as you are able. Delays can be costly.

Windows Updates Options

Windows Updates are classified as Important updates and Recommended updates.

Always install the Critical Updates and Service Packs when available. These are considered vital to the safety of your Windows system.

Recommended Windows Updates may deal with specific issues some users are having. If you have no need for optional updates, don't install them.

Windows Update can also check for updates to Microsoft Office (more current versions only). Currently supported versions of Windows automatically downloads and installs updates (Internet Explorer is not directly used any more).

Driver Updates Alternatives

Driver Updates may fix a problem with hardware, but I have experienced some Microsoft driver updates corrupting my Windows installations. System Restore provides a recovery solution if such a problem arises.

You might wish to go to the component manufacturer's site to check for an update, particularly for video driver updates.

Return to top

There are Windows Alternatives

Other operating systems such as Linux and Apple's Macintosh offer fewer problems when it comes to virus propagation and other security issues.

This is partly due to their relative smaller footprint in the computer world and partly due to better design. Apple computers have received more attention from hackers and malicious software since macOS and iOS have increased popularity, so you should check for security solutions specific to your operating system to be safe.

There are also lesser-known operating systems that may prove suitable to your needs.

Vulnerabilities Still Exist

All software (including operating systems) have vulnerabilities. Even if you move to an alternate to Windows you'll have to update and monitor vulnerabilities.

Moving from Windows also means you'll experience a learning curve, but perhaps that is an acceptable cost. The main deferent for most folks is either gaming software or expensive software licensed only for Windows.

Return to top

ActiveX: A Potential Security Risk

There's nothing wrong with ActiveX as long as you trust completely the guy who wrote it, says research scientist Gary McGraw of Reliable Software Technologies.

But it's like leaving your office to go to lunch and running into some guy who says he'd really like to use your computer for the next hour, and letting him sit and do whatever he likes while you're away. But as far as running trusted code, it's a very powerful and useful technology. — quoted on CNET News

Fortunately, the future of ActiveX is relatively short as HTML-5 and Windows 10's Microsoft Edge don't support it. However, Internet Explorer is still available in Windows 10 and it does support ActiveX.

Should I Install ActiveX Controls?

Maybe. You should be cautious about installing ActiveX controls, sometimes called addons, on your computer, even if they have a valid digital signature. While ActiveX controls can enhance web browsing, they might also pose a security risk, and it's best to avoid using them if the webpage will work without them. However, some websites or tasks might require them, and if the content or task is important to you, you will have to decide whether to install the ActiveX control. — Microsoft

Microsoft suggests that before installing an ActiveX control, you should consider the following:

If you do not understand the dangers of installing Active X controls or files, they can cause the destruction of your data, and can unleash unimaginable and horrific viruses and malware, so please, please, please, be aware of the dangers of the installation of these files before proceeding any further. — Microsoft

It is very difficult to know what an Active X control from an unknown source will do. I strongly recommend that you do not install this dangerous and basically unsupported legacy of Internet Explorer.

Java is Safer

Java is a safer alternative to Active-X but has its own security issues and is no longer supported by browsers except Internet Explorer.

Underlying the Java SE Platform is a dynamic, extensible security architecture, standards-based and interoperable. Security features — cryptography, authentication and authorization, public key infrastructure, and more — are built in. The Java security model is based on a customizable 'sandbox' in which Java software programs can run safely, without potential risk to systems or users. — Java SE Security

Java is one of the three most common vulnerabilities (the other two being Adobe Flash and Adobe Reader) which is why Firefox disables Java by default (recommended).

Browser Support for Java Ending

In fact, most browsers now disable Java and newer versions of Java no longer support browser integration (why we're running version 8 even though versions 9 and later have been released). 2019 is likely going to see the end of any support for Java within browsers.

Removed Older Java Versions

Always remove older versions of Java so that you're not exposing your computer to vulnerabilities that have been patched with more recent updates.

Restrict the Use of Internet Explorer

I strongly recommend that you DON'T use Internet Explorer to surf the Web or to configure devices. It is rarely required elsewhere (a couple of exceptions are the now-retired Microsoft FixIt solutions and some Symantec utilities).

Firefox Recommended

Instead, I recommend Firefox as your primary browser.

Remember, if you employ addon functionality in Firefox, they can add their own vulnerabilities. Firefox has changed the way extensions (addons) and plugins work in Firefox, ending support for many of them. HTML 5 and built-in support for viewing PDFs and similar technologies has made them obsolete.

Return to top

Update Windows

Updates & Service Packs

You should be running Windows Update automatically (unless your computer is mission critical) and have the most recent Service Pack (SP) installed for your version of Windows.

Discontinue Using Older Windows

When support is discontinued for a specific version of Windows, it means that Microsoft will no longer provide support or security updates, leaving your computer vulnerable.

Legacy (unsupported) Windows versions should no longer be run and you need to check out your alternatives.

If you need to run legacy (unsupported) versions of Windows, be sure to take them offline.

Learn more about the Windows support lifecycle on the Microsoft Windows page.

Windows Updates

While it is possible to continue to download updates or check for them manually, there is no reason to do so in these days of always-connected computers.

Automatic Windows Updates ensure that you get timely updates. Many vulnerabilities are used by unscrupulous folks even if the vulnerability is not announced when a patch (update) is released.

Personal Choices are Important

There are a multitude of choices that you make (or can make) that will affect how secure your computer is.

You should be concerned about your privacy as well as the safety of your children while on-line.

You will find Bruce Schneier's discussion about Safe Personal Computing informative.

Return to top

Related Resources

Related resources on this site:

or check the resources index.

Return to top

If these pages helped you,
buy me a coffee!
Updated: October 31, 2019