[an error occurred while processing this directive]

Internet Security Vulnerabilities

Windows Weaknesses - Web Browsers Weaknesses
E-mail Weaknesses - More About Security Issues

Web Security Affects You

Web security is not a new issue, but increasing e-commerce and the fact that more folks are using broadband (always-connected) Internet services are creating the necessity of improving security. There are serious flaws in some browsers, which is further aggravated by security holes in the Windows operating system itself.

While the information on this page may not be light reading I recommend that you peruse it. To ignore it is to do so at your own peril.

Windows Security Weaknesses

While this page discusses issues with Windows 95, 98/SE and ME operating systems, all fall short of what is desirable.

Upgrade to Windows XP SP2 Immediately

I recommended that you move immediately to Windows XP with Service Pack 2 or to an alternative operating system. While Windows XP is far from perfect, it offers greater protection than older versions of Windows afford.

Microsoft doesn't offer updates to XP systems not running Service Pack 2 or later (Service Pack 3 is now available).

Support Discontinued for Older Windows

Microsoft discontinued support for Windows 98/98SE/Me on July 11, 2006 and Windows XP with SP1 or earlier on October 10, 2006.

Personal Choices are Important

There are a multitude of choices that you make (or can make) that will affect how secure your computer is. These can affect your privacy and the safety of your children while on-line.

You will find Bruce Schneier's discussion about Safe Personal Computing informative.

There are Windows Alternatives

Other operating systems such as Linux and Apple Macintosh offer fewer problems when it comes to virus propagation and other security issues. This is partly due to their relative smaller footprint in the computer world and partly due to better design.

For instance, Linux offers a breakdown of what is permitted when the system is being run under the root (administrator) password and what is permitted for other users. Having to login as root (or superuser) to do installs and settings changes is one reason why Linux is perceived to be "harder to use" than Windows.

Be Aware of the Trade-offs

The trade-off is between security and ease of use. While some of this control of functionality is included in Windows XP (and Windows 2000) there are some decisions that have been made that increase overall risk. Also, many standard XP home computers have only one account, which includes all the administrator privileges. Typically Linux users are much more aware of these dangers and tend to create a separate user account from the administrator account.

While Windows is less secure than Linux this allows for easier installs, upgrades and exchange of information. Linux also has it's vulnerabilities, but these are fewer in number.

An Analogy

Windows was built to be easy to use, with security apparently a casual afterthought. Consider the following analogy when deciding that "easier is better" in your computing experience:

Using Internet Explorer in Windows is like leaving your car parked downtown overnight with the doors unlocked, the windows rolled down and the keys in the ignition, then wondering why your car is gone in the morning.

While it may be inconvenient to install updates and use alternatives to the tightly intertwined (and therefore mutually vulnerable) Microsoft programs, you might consider why your car has those inconvenient locks and seatbelts. Cars once had neither, yet they were installed for a very good reason.

Always Install Windows Critical Updates

This section discusses some of the areas that you can address to improve the security of your Windows system.

To protect yourself from many of these vulnerabilities make sure you have the latest security patches for Windows and Office products you have installed:

Weekly Maintenance Routine

This should be part of your weekly maintenance routine. You should maintain the updates to Internet Explorer even if you use another browser since IE is so tightly integrated into the Windows operating system.

Weekly a Bare Minimum

A study conducted by Symantec, best know for Norton Antivirus, determined that the time from release of a patch and the release of malicious code to exploit it is was only 5.8 days in the first half of 2004. This makes a weekly update a bare minimum.

Windows Critical Updates

Windows XP with Service Pack 2 has a Windows Critical Updates notification/installation utility. I'd suggest at least being notified (the downloads can consume a great deal of your bandwidth if you are on dialup or on a low-speed connection of any type) and install them as soon as you are able. Delays can be costly.

Windows Updates Options

There are three sections that show up in Windows Update:

Always install the Critical Updates and Service Packs when available. These are considered vital to the safety of your Windows system.

The Windows Updates can be chosen to deal with particular issues you may be having. If you have no need for the particular updates, don't install them.

Driver Updates may fix a problem with hardware, but I have had some Microsoft driver updates corrupt Windows installations so you might wish to go to the component manufacturer's site for an update. This has been particularly true for some video driver updates but can be fixed in Windows XP (and ME) with the System Restore feature.

Disable ActiveX

ActiveX is a proprietary alternative to Java designed to enhance the performance of programs and to allow for easier upgrades to the Windows operating system. However, the lack of security allows destructive programs to use this feature to access areas of your computer that they wouldn't otherwise be able to attack.

The main difference between ActiveX and Java are the permissions available to the script. ActiveX can essentially access any area of your computer. Java is more restricted in its ability to access critical areas of your system so a rogue Java script can do less potential damage than a rogue ActiveX control.

A June 28, 2000 CNET News article recommended that people disable active scripting or ActiveX functionality. All versions of Internet Explorer and Outlook Express are vulnerable.

Read more about ActiveX and the dangers it can present:

To disable ActiveX follow this procedure:

Windows 95 users

Windows 98/Me/2000/XP users

Note: If you completely disable ActiveX you will need to re-enable ActiveX if you want to obtain technical support or upgrades and fixes on Microsoft's site (including Windows Update).

The Prompt option will give you the option to run or not run the controls for any Web site you enter. This will be less of a bother if you are using another browser (recommended) as your primary Web surfing tool than if Internet Explorer is your primary browser.

Just remember that ActiveX should only be trusted to the extent that you would trust the owner of the site you are visiting. I'd suggest disabling unsigned ActiveX controls and those not marked as safe and be prompted for the rest.

Don't Use NetBUI

NetBUI is a significant weakness in Windows which was removed in Windows Me. If you are using networking only for a dial-up connection, close some security holes:

Windows 95/98 users

Windows Me users

Easier is Not Necessarily Better

Microsoft Office applications (including Outlook Express) use a programming language that allows for tight integration of the Office components and easier data linking than OLE provides. However this code provides a weakness that the Melissa class of viruses and many worm viruses have employed to spread their destruction.

Windows is so "dumbed down" in order not to upset the entry-level user that Microsoft has no right to then expect the level of competence to be higher when a user needs to make a choice of whether to click on an e-mail or not. James Gleick illustrates the power of scripts in an article discussing some of the Windows vulnerabilities exploited by the I Love You virus. Social engineering is such that we are more likely to open an e-mail (or click on a advertising link) that either appeals to our need for approval or to our fears.

One of the methods used by Windows operating systems to achieve this communication between programs is Visual Basic Script (VBS). Not everyone needs to have VBS enabled. You can disable it following the procedures offered on the F-Secure site. There are instructions for removing Windows Scripting Host on Windows 95, 98, 2000 and NT systems.

Return to top

Security Weaknesses in Web Browsers

Web browsers have their own shortcomings. Each browser has different challenges which are often addressed as new versions are released.

Use the Most Recent Browser

Get Firefox 3 - The best yet

Whether you use Internet Explorer or Mozilla/Netscape or another browser, you should always upgrade to the most recent version and install any patches that are available. Newer versions of the same browser offer several advantages:

Use Browsers with Better Encryption

If you can meet the license requirements for the 128-bit RSA encryption for Mozilla or Internet Explorer Web browsers, this will provide better security than the 56-bit international versions. Most financial institutions will insist on this level of encryption before you can use their on-line services.

Browser-Security Risks

Browser Security Updates

Information is provided on known weaknesses of various Web browsers in use. Sometimes you need to dig to find this information, but the competition may point out the flaws for you.

Other Security Information

You may also wish to correct known potential security risks associated with various browsers found by other parties.

Older Browser Issues

While many of the issues with older browsers are intricate enough to only interest Website designers and browser technicians, older browsers will often incorrectly display newer Websites, if they can display them at all.

Even if you are willing to put up with increasing difficulties with display issues, you cannot walk away from the security dangers of using older, unpatched browsers.

Assessing Your Risk

The following sites can help you to assess the security risks posed by your current browser, and suggest fixes that are necessary. Be sure to follow the instructions closely, which includes not opening files if prompted to do so.

Return to top

Security Weaknesses in E-mail Programs

There are security issues with all e-mail programs but this is most pronounced in Outlook and Outlook Express. Because they are pre-installed in Windows most users continue to use them without checking for any other options.

Purchase PocoMail!

Outlook and Outlook Express suffer from the same weaknesses as the Internet Explorer family. I'd recommend not using these products but to download and use one of the alternative e-mail programs that meet your needs. I strongly recommend PocoMail/Barca for the ease of use, especially considering that it was built from the ground up with security in mind.

If you continue to use Outlook (especially for the PIM features) or Outlook Express you should reduce your risk with the following changes to settings.

Windows Scripting Host enables Outlook Express to open attachments and run programs without asking first. Since most users don't use Basic scripting this should not compromise functionality for the majority. You can disable Windows Scripting Host by following the procedures offered on the F-Secure site. There are instructions for removing Windows Scripting Host on Windows 95, 98, 2000 and NT systems.

To turn off ActiveX in Outlook Express:

To turn off ActiveX in Outlook:

Return to top

More About Security Issues

The following related pages offer more information about security:

Return to top

www.RussHarvey.bc.ca/resources/websecurity.html
Updated: October 2, 2009