http://voices.washingtonpost.

com/securityfix/Microsoft_Security_Intelligence_Report_v7_K
ey_Finings_FI!"#.pf
Top 10 Windows Vulnerabilities-
http://www.altiusit.com/files/blog/Top10WindowsVulnerabilities.htm
By understanding Windows based vulnerabilities, organizations can stay a step ahead and ensure information
availability, integrity, and confidentiality. Listed below are the Top 10 Windows ulnerabilities!
1. Web Servers " misconfigurations, product bugs, default installations, and third"party products such as
php can introduce vulnerabilities.
2. Microsoft SQL Server " vulnerabilities allow remote attac#ers to obtain sensitive information, alter
database content, and compromise $%L servers and server hosts.
3. Passwords " user accounts may have wea#, none&istent, or unprotected passwords. The operating
system or third"party applications may create accounts with wea# or none&istent passwords.
4. Workstations " re'uests to access resources such as files and printers without any bounds chec#ing can
lead to vulnerabilities. (verflows can be e&ploited by an unauthenticated remote attac#er e&ecuting
code on the vulnerable device.
5. Remote Access " users can un#nowingly open their systems to hac#ers when they allow remote access
to their systems.
6. Browsers ) accessing cloud computing services puts an organization at ris# when users have
unpatched browsers. Browser features such as *ctive + and *ctive $cripting can bypass security
controls.
7. File Sharing " peer to peer vulnerabilities include technical vulnerabilities, social media, and altering or
mas'uerading content.
8. Email ) by opening a message a recipient can activate security threats such as viruses, spyware,
Tro,an horse programs, and worms.
9. !nstant Messaging " vulnerabilities typically arise from outdated *ctive+ controls in -$. -essenger,
/ahoo0 oice 1hat, buffer overflows, and others.
10."SB #evices " plug and play devices can create ris#s when they are automatically recognized and
immediately accessible by Windows operating systems.
fle:///C:/Documents%20and%20Settings/!ne"/#$
%20Documents/Do!nloads/0046352a895d9970ad000000.%d&
'tt%://!!!.i(cc".com/)o*em+e"2011/13.%d&
'tt%://!!!."uss'a"*e$.+c.ca/"esou"ces/!indo!ssecu"it$.'tml
Home

Self-Help Resources

Windows Security
Windows Security
Vulnerabilities in Windows
Update Windows | Windows Alternatives | ActiveX
All Windows Versions are Vulnerable
Ignore Windows security at your own peril.
Beware of the Human Factor
People are too trusting of any warning that appears on their computer, particularly
when visiting websites with their browser.
James Gleick illustrated this human factor in an article discussing some of the
Windows vulnerabilities exploited by the I Love You virus. We are more likely to open
an email (or click on a advertising link) that appeals to our need for approval or
caters to our fears.
Virtually all scanners that suddenly appear on your screen warning about dozens or
hundreds of vulnerabilities on your computer are scams.
The exception would be when you visit legitimate sites and run their software (after
asking you frst). Of course, it is difcult for many to determine what a legitimate site
looks like.
No, It's Not Microsoft Phoning You
If you receive a phone call telling you that your computer is at risk, hang up.
They are NOT Microsoft (or anyone legitimate) NOR are they trying to help you. Their
goal? To get you to:
divulge information about your computer;
open an exploitive website using your browser; or
provide your credit card information for the "help" you're given.
Your best solution is to simply hang up.
Educate Yourself About the Riss
My Recommended Windows Software lists software I recommend for my clients.
Peruse the Computer & Internet Security pages to learn how to protect yourself and
your family while online.
!uard Physical Access to Your "o#$uter
Anyone with physical access to your computer can make changes to Windows or
visit areas on the Web that pose a risk to your computer. That physical access can
be through malicious software on a removable storage device.
Computer systems have been exploited by mailing CDs or leaving USB thumb drives
in a company parking lot. Someone is going to plug them into their computer and
release whatever troublesome gremlins are installed!
Windows %Ease&of&'se% is a (rade&o)
Windows was built to be easy to use, with security apparently a casual afterthought
at least in versions earlier than Vista. The trade-of is between security and ease
of use.
(wo Analogies* A$art#ents and +ehicles
Consider the following analogies when deciding that "easier is better" in your
computing experience:
Using Internet Explorer in Windows is like leaving your car parked
downtown overnight with the doors unlocked, the windows rolled down
and the keys in the ignition, then wondering why your car is gone in the
morning.
Installing updates and alternatives to programs built into Windows is inconvenient,
but consider why your car has those inconvenient locks and seat belts. Cars once
had neither, yet they are now installed for a very good reason.
The front door key to an apartment building is the same for everyone.
What if the building supervisor provided the same key for
everyapartment and allowed you to think that your apartment key was
unique? Access for maintenance would be easier, but your unit's
physical security would be severely compromised.
Microsoft Intero$erability
Similarly, various Windows components and Microsoft Ofce products are highly
integrated, making everything function smoothly. Because of that interoperability,
weaknesses in one program (or component) can quickly spread to others.
For example, vulnerabilities in Internet Explorer spread to Outlook because
components of IE were used to display the HTML (or enhanced) email content.
Microsoft fxed this by making MS Word responsible for the HTML content.
I've recommended email programs and web browsers that don't integrate with
Windows to prevent that sort of weakness.
(he ,angers of Ad#inistrator Pri-ileges
Most Windows computers only have one account that runs with full administrator
privileges.
However, most Linux users are much more aware of these dangers and tend to
create a separate user account from the administrator account. Changes to the
system require the administrator's password, even in the basic Linux install.
+ista's 'ser Account "ontrol
Windows Vista users are very familiar with the User Account Control (UAC) which
became known for its intrusive nature. Windows 7 is somewhat less intrusive and
allowed the user to choose a lesser level of security, leaving you more vulnerable.
Degrading the security level is riskier, like deciding to buckle up your seat
belt afteryou are in a serious car collision.
While Windows is less secure than Linux this allows for easier installs, upgrades and
exchange of information although recent versions of Linux provide a much easier
interface even for beginners.
+ulnerabilities Are Relati-e
In addition to Windows, Linux and Mac also have vulnerabilities, as
do browsers,email and other programs.
Beware of comparisons of how many vulnerabilities rather than the severity of the
security breach. One serious system-wide vulnerability can be much more
dangerous than dozens of small potential weaknesses.
Always Install Windows "ritical '$dates
This section discusses some of the areas that you can address to improve the
security of your Windows system.
To protect yourself from many of these vulnerabilities make sure you have the latest
security patches for Windows and Ofce products you have installed:
Windows 7 and Vista users will fnd Windows Update in the Control Panel (open the
Control Panel then select Windows Update).
* Internet Explore is required for Windows Update. Windows 7 users will see a note about using the built-in support for
Windows Update if they visit Microsoft's update sites.
Is Your Syste# Mission "ritical.
Microsoft tends to run all their updates once a month on patch Tuesday. The
downside to this is that some updates in large batches can create problems
(thankfully, relatively rare).
For this reason, some administrators of mission critical systems wait to fnd out if
there are problems with patches before updating. This is not recommended for home
users because downtime due to such problems are an inconvenience, not something
that will put lives or critical systems in jeopardy.
Weely Maintenance Routine
Updates should be part of your weekly maintenance routine. You should maintain the
updates to Internet Explorer (IE) even if you use another browser since IE is so
tightly integrated into the Windows operating system.
As well as updates to Windows, you should be checking your other security software
(frewalls, antivirus and anti-spyware software) as well as updates for all the
programs on your computer.
,aily Security '$dates a /are Mini#u#
You should be updating your security software at least daily I recommend that
you update several times a day. In the case of a serious attack, hourly updates may
save your programs and data from ruin.
A 2004 study conducted by Symantec, best know for Norton Antivirus, determined
that the time from release of a patch and the release of malicious code to exploit it is
was only 5.8 days. At that time, weekly updates were a bare minimum. I assure you
that the Internet has only become less friendly since then.
Windows "ritical '$dates
Windows has a Windows Critical Updates notifcation/installation utility. Most users
should use Automatic Windows Updates.
I'd suggest at least being notifed if you are on a low-speed connection of any type
and install them as soon as you are able. Delays can be costly.
Windows '$dates 0$tions
Windows Updates are classifed as Important updates and Recommended updates.
Always install the Critical Updates and Service Packs when available. These are
considered vital to the safety of your Windows system.
Recommended Windows Updates may deal with specifc issues some users are
having. If you have no need for the particular updates, don't install them.
Windows Update can also check for updates to Microsoft Ofce (more current
versions only). Windows 7 and later automatically downloads updates and doesn't
use Internet Explorer directly to provide these.
,ri-er '$dates Alternati-es
Driver Updates may fx a problem with hardware, but I have experienced some
Microsoft driver updates corrupting my Windows installations. You might wish to go
to the component manufacturer's site to check for an update, particularly for video
driver updates. System Restore provides a recovery solution if such a problem
arises.
Return to top
There are Windows Alternatives
Other operating systems such as Linux and Apple's Macintosh ofer fewer problems
when it comes to virus propagation and other security issues.
This is partly due to their relative smaller footprint in the computer world and partly
due to better design. There has been more vulnerabilities in Apple computers since
they've gained in popularity, so you should check for security solutions specifc to
your operating system to be safe.
There are also lesser-known operating systems that may prove suitable to your
needs.
+ulnerabilities Still E1ist
All software (including operating systems) have vulnerabilities. Even if you move to
an alternate to Windows you'll have to update and monitor vulnerabilities.
Moving from Windows also means you'll experience a learning curve, but perhaps
that is an acceptable cost.
Return to top
ActiveX: A Potential Security is!
There's nothing wrong with ActiveX as long as you trust completely the
guy who wrote it, says research scientist Gary McGraw of Reliable
Software Technologies.
But it's like leaving your ofce to go to lunch and running into some guy
who says he'd really like to use your computer for the next hour, and
letting him sit and do whatever he likes while you're away. But as far as
running trusted code, it's a very powerful and useful technology.
quoted on CNET News
Should I Install Acti-e2 "ontrols.
Maybe. You should be cautious about installing ActiveX controls,
sometimes called addons, on your computer, even if they have a valid
digital signature. While ActiveX controls can enhance web browsing,
they might also pose a security risk, and it's best to avoid using them if
the webpage will work without them. However, some websites or tasks
might require them, and if the content or task is important to you, you
will have to decide whether to install the ActiveX control.
Microsoft
Microsoft suggests that before installing an ActiveX control, you should consider the
following:
Were you expecting to receive this control?
Do you trust the website providing the control?
Do you know what the control is for and what it will do to your computer?
See the following Microsoft resources for more about ActiveX:
Should I install ActiveX controls?
What is an ActiveX control?.
Protect yourself when you use ActiveX controls.
3a-a is Safer
Underlying the Java SE Platform is a dynamic, extensible security
architecture, standards-based and interoperable. Security features
cryptography, authentication and authorization, public key
infrastructure, and more are built in. The Java security model is
based on a customizable 'sandbox' in which Java software programs
can run safely, without potential risk to systems or users.
Java SE Security
That is not to say that Java has no vulnerabilities. Java is one of the three most
common vulnerabilities (the other two being Adobe Flash and Adobe Reader) which
is why Firefox disables Java by default (recommended).
Always remove older versions of Java so that you're not exposing your computer to
vulnerabilities that have been patched with more recent updates.
Restrict the 'se of Internet E1$lorer
I strongly recommend that you DON'T use Internet Explorer to surf the Web. It is
rarely required elsewhere (a couple of exceptions are Microsoft FixIt solutions and
some Symantec utilities).
4irefo1 Reco##ended
Instead, I recommend Firefox as your primary browser.
The Firefox add-on IE View allows you to launch the current Firefox page in Internet
Explorer (Windows only), allowing you to use Firefox without worrying that you'll
come onto a page that requires Internet Explorer.
http://www.sciencedaily.com/releases/2007/11/071112091850.htm l
http://www.cs.kau.se/~stefan/publications/Lic00/full_text.pdf
http://www.ptsecurity.com/download/Vulnerability-Statistics-for-2011.pdf
http://www.darkreading.com/vulnerabilities---threats/microsoft-software-overall-operating-system-vulnerability-
disclosures-rise/d/d-id/1140771?
'tt%://!!!.com%ute"!o"ld.com/a"ticle/2563639/mo+ile,!i"eless/!i"eless,
'ac-ing,tec'ni.ues.'tml
'tt%s://cont"olcase.com/managed/com%liance/f"e!all/"e*ie!s.'tml
'tt%://!!!.gf.com/+log/"e%o"t,most,*ulne"a+le,o%e"ating,s$stems,and,
a%%lications,in,2013/
'tt%://!!!.s%amla!s.com/!indo!s7,*ulne"a+ilities.'tml
'tt%://!!!.%c!o"ld.com/a"ticle/2102680/!indo!s,7,0%,*ulne"a+ilites,"ose,in,
2013,secu"it$,f"m,fnds.'tml