Computerworld - There's the danger you know, and then there's the danger you don't know.
Most of us are rightfully wary of downloading and running programs that have no pedigree, or of performing day-to-day operations as an administrative user. But with each passing year, new security threats march in to eclipse the old — many of them not getting their share of attention until it's too late.
Threats go unappreciated for various reasons. Some seem too obscure or unlikely to be valid until they actually materialize in the wild (such as the .PDF exploits I document later on). Others are overshadowed by more widely publicized problems (e.g., the way Firefox's issues take a backseat to Internet Explorer's).
Here I'll be giving a tour of a number of lesser-advertised security issues that can bite you when you least expect it, and offering some advice on how to defend yourself.
Apart from Microsoft, Adobe may well be the one software maker whose programs run on every Windows-based PC out there. Nearly everyone has Flash, Acrobat Reader and/or Shockwave — and they are used by malware as delivery mechanisms. (Of course, Adobe's applications run on other operating systems as well, but it's the Windows PCs that are being targeted.) The danger comes when you use outdated versions of those programs, or current versions with unpatched bugs that are exploited as security holes.
One common manifestation — one I've been hit with personally a few times now — comes when the user visits a Web site with a Flash-powered banner ad. No clicking required: as soon as the ad comes up, it delivers its payload. Sometimes it also comes in the form of one of Adobe's other products — for example, an infected .PDF document, which opens spontaneously upon visiting an ad. (I've been hit with this one many times, too.)
Keep Adobe products updated and don't run your system as Administrator or root if you can possibly help it — that gives malware possible access to your system settings. (Not running as an admin for day-to-day work in Windows is good advice anyway, and could easily be appended to any of the other threats listed in this article.)
Adobe does have an auto-updater for its products, but its behavior is weirdly spotty; it tends to only report updates for whatever product is currently active. If you run the updater within Acrobat, for instance, you aren't informed about updates to other Adobe products, so a certain amount of manual research is needed to make sure Flash, for instance, is current.
Another possible safety measure: Disable thumbnail previews for Acrobat documents. The thumbnail previews in Explorer generated by Acrobat were part of how one proof-of-concept exploit worked, so turning off that functionality or upgrading to a version known to be safe removes another potential source of attacks.
I would like to say that moderating one's browsing habits or visiting only "known good" sites (via mechanisms like Web of Trust) is a good idea, but I'm not sure anymore. The syndication systems that serve up these types of infected ads now run on all sorts of sites. I've been hit with drive-by malware from sites that I visit regularly and which have good ratings from site-review services, so it's no longer a question of simply keeping away from the Web's poorly-lit side streets.
Some people take additional steps, such as blocking ads entirely by running a plugin like Adblock Plus, or selectively disabling scripting for sites they're dubious about by using the NoScript plugin.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
