security - Is the guideline: don't open email attachments or execute downloads or run plug-ins (Flash, Java) from untrusted sites enough to avert infection?
2014-07
therobyouknow
I'd like to know if the following is enough to avert malware as I feel that the press and other advisory resources aren't always precisely clear on all the methods as to how PCs get infected.
To my mind, the key step to getting infected is a conscious choice by the user to run an executable attachment from an email or download, but also viewing content that requires a plug-in (Flash, Java or something else). This conscious step breaks down into the following possibilities:
don't open email attachments: certainly agree with this. But lets try to be clear: email comes in 2 parts -the text and the attachment. Just reading the email should not be risky, right? But opening (i.e. running) email attachments IS risky (malware can be present in the attachment)
don't execute downloads (e.g. from sites linked from in suspect emails or otherwise): again certainly agree with this (malware can be present in the executable). Usually the user has to voluntary click to download, or at least click to run the executable. Question: has there ever been a case where a user has visited a site and a download has completed on its own and run on its own?
don't run content requiring plug-ins: certainly agree: malware can be present in the executable. I vaguely recall cases with Flash but know of the Java-based vulnerabilities much better.
Now, is the above enough? Note that I'm much more cautious than this. What I'm concerned about is that the media is not always very clear about how the malware infection occurs. They talk of "booby-trapped sites", "browser attacks" - HOW exactly?
I'd presume the other threat would be malevolent use of Javascript to make an executable run on the user's machine. Would I be right and are there details I can read up on about this. Generally I like Javascript as a developer, please note.
An accepted answer would fill in any holes I've missed here so we have a complete general view of what the threats are (even though the actual specific details of new threats vary, but the general vectors are known).
Dave Rook
Yes, Flash and Java (via the browser) have been and continue to be exploited for malicious scripts. However, this can happen without the users consent. See Drive by (download/cache) (Although I think donwload cache is what you're going to be more interested in).
I guess some one can manually install the program, but don't forget other things such as plugging in USB sticks/CD's etc (some OS's don't allow auto run, some do).
In regards to emails, clients have different levels of security... you can run javascript in some email clients but not in the latest 2 or 3 releases of MS Office, for example... So, it may not just be the attachment you need to worry about (however, I'm not saying this will execute a virus, just that it may run a malicious script. Maybe it reports back information that makes your PC identifiable and as you visit a certain site the information can be used).
You also need to be cautious of attacks over a network. Even if you are very cautious, someone else on the network may not be, execute a virus from their machine which spreads over the LAN. Your 3 points will not save you in this case.
Since you mention javascript as a single language, I'll point out that attacks can often occur with multiple technologies.. Again, using the Drive by cache example, where the malicious attack could be a combination of javascript and swf to execute some VB. The javascript to reference an evil place or thing, the swf file to execute the evil!
In regards to the advice by the media, typically, I ignore it. If you need to know, ask questions on sites like SU, or http://security.stackexchange.com/ . The problem is, media scares people etc because IMO they often (not always) are just reporting on something they're told... And the detail requires it to be general. How can they give advice on this... Think about it, there used to be just virus's... Then trojans... Then worms. Now Malware. Now scareware. My ransom-ware. Now more'ware .
Questioner
My mother's computer recently became infected with some sort of rootkit. It began when she received an email from a close friend asking her to check out some sort of webpage. I never saw it, but my mother said it was just a blog of some sort, nothing interesting.
A few days later, my mother signed in on the PayPal homepage. PayPal gave some sort of security notice which stated that to prevent fraud, they needed some additional personal information. Among some of the more normal information (name, address, etc.), they asked for her SSN and bank PIN! She refused to submit that information and complained to PayPal that they shouldn't ask for it.
PayPal said they would never ask for such information and that it wasn't their webpage. There was no such "security notice" when she logged in from a different computer, only from hers. It wasn't a phishing attempt or redirection of some sort, IE clearly showed an SSL connection to https://www.paypal.com/
She remembered that strange email and asked her friend about it - the friend never sent it!
Obviously, something on her computer was intercepting the PayPal homepage and that email was the only other strange thing to happen recently. She entrusted me to fix everything. I nuked the computer from orbit since it was the only way to be sure (i.e., reformatted her hard drive and did a clean install). That seemed to work fine.
But that got me wondering... my mother didn't download and run anything. There were no weird ActiveX controls running (she's not computer illiterate and knows not to install them), and she only uses webmail (i.e., no Outlook vulnerability). When I think webpages, I think content presentation - JavaScript, HTML, and maybe some Flash.
How could that possibly install and execute arbitrary software on your computer? It seems kinda weird/stupid that such vulnerabilities exist.
If she's using an outdated version of IE (or Firefox) then there are well-known vulnerabilities in the browser itself. Yes, its kinda weird/stupid but writing perfect software is very very very very hard.
There are probably unknown/undisclosed vulnerabilities in the current versions of web browsers (as well as every other piece of software)