Jump to content.

IFX Group


Security and Virus Infections

Are virus infections related to virus scanning?

It is very interesting that some of the virus scanning options for Microsoft Windows™ use Internet Explorer and a web page that remotely scans (reads all of the files on) your computer including the Windows registry and can even clean (erase or change) the infected files it finds all without installing software. Think about it. Does this bother you at all?

Consider what is involved in making a web script (ActiveX, Javascript, Flash, Java, etc.) able to locate, read and erase infected files on your computer. This involves a lot of access and all you needed to do was visit a web page and maybe click a button. What stops a virus from getting the same access to your computer just because you clicked something on a web page? How does your computer tell the difference between a virus scan and a virus infection? And while you are thinking about this, how do you think all those virus infections get into your computer in the first place?

The ActiveX scripting language was designed to give a web page full control over your computer. This allows some very neat things like the Microsoft Windows Update site that looks at your computer, takes an inventory of your program files then downloads and installs only the updates you need. There was absolutely no concept of limited permission in this design which is why ActiveX became such a popular method for infecting a Windows computer just by visiting a web page.

Fortunately only older versions of Microsoft Internet Explorer support ActiveX scripting. So is avoiding Internet Explorer the solution to this infection problem? Millions of web users have moved to alternative web browsers, like Firefox and Chrome, to avoid well known security issues like ActiveX but this does not address the real problem. The scripting problem is much more pervasive reaching into things like Microsoft® Office documents which really have no need to have dangerous scripting enabled by default. This is just another example of the same core problem.

Don't think that just because you are no longer using Internet Explorer that you are totally immune to scripting attacks on your Windows computer. All web browsers have things like Javascript and sometimes even Java and Flash enabled in the default install. This means anyone that wants to use these scripting languages to attack your computer gets a chance to find a security hole just by your visiting a web page. Keep in mind that according to Google a sizable percentage of public web sites are infected with malicious scripts of some kind, even popular web sites you may trust.

Any web site that allows user generated content, like a blog or user comments on a social or news site can potentially get infected. If that web site also allows active (Javascript, Flash, Java, etc.) advertising, that can be used to infect your computer too. Going one step more, any web site running on a vulnerable server or one that has not installed all of the latest security patches is at risk for infection. These web sites look fine on the screen because the infection only adds scripting to attack your web browser while you are reading the text, looking at the pictures or playing the games. If your web browser runs those scripts, you already gave permission for the attack.

The High Cost of Protection

Two changes are needed to solve this problem in a meaningful way.

  1. Prevent all active content like scripts from running by default.
  2. Limit access locally to prevent infection if an attack succeeds.

The good news is that Firefox users have access to the very advanced NoScript add-on which gives you full whitelist + blacklist control over every web script source you encounter. With this add-on you choose exactly which web site you trust to run scripts or any active content on your computer. Everyone else is blocked by default. In practice, this makes Firefox virtually immune to all known forms of web attacks including a large number of those directed specifically against Firefox.

But what happens if you unknowingly permit scripting on an infected web site you frequent and it gets through to your computer? This is a place where the security model in your core operating system is required to protect you. Microsoft has made some very big strides since the early Windows 95/98 days attempting to tighten up the core security and prevent global access to the computer from a user perspective. Unfortunately most long time Windows users feel this protection is taking away their ability to use their own computer and they end up effectively disabling some or all of these security features. Understandably this is partly due to the excessively annoying method some versions of Microsoft Windows employ to notify the user about the protection coupled with the lack of useful information about the notification.

One possible solution to the core security problem touches on a topic that tends to be quite personal for some people. Hear me out before you pass judgement.

First a little bit of history.

The UNIX™ operating system was introduced in the early 1970s with a totally open, trusting and accessible design where simple security like a password on the user account was not even considered. As more computers were installed around the country and more people began using those computers, it became apparent that segmenting and controlling access was needed.

When the first password login prompt was introduced the computing world changed forever. Since those early days UNIX made significant advancements in segmenting access inside the core operating system itself such that a security breach in any user-level program is nicely contained in a small well defined box where important operating system stuff is comfortably out of reach. This is why user-level infections on UNIX operating systems are so rare and often less effective than similar infections on Windows.

Microsoft made their first public attempt at core operating system security almost 30 years after UNIX started refining their security model. The very sad part for Microsoft customers is that hard earned UNIX wisdom was almost entirely ignored.

On the other hand, Linux™, created in the early 1990's by Linus Torvalds combined with GNU as an alternative to UNIX, learned from the mistakes UNIX made over the years and this gave the Linux operating system a big head start in the protection game. The UNIX security model was well proven, refined, well established and only needed to be implemented. This means the Linux you see today has a security legacy going back decades more than the Microsoft security model which is still fighting the user it is supposed to protect. Maybe this partly explains why even long time Microsoft enthusiasts are actively turning away from the newest Microsoft Windows operating system versions.

So is Linux the answer to all your desktop security problems?

To understand the answer to this question requires a fundamental shift in thinking. This is easier if you have something big, like changing your whole operating system, to get you to notice some of the more important things about how you use your computer.

For typical Windows users, installing Linux is like stepping into a foreign culture. It's pretty, but everything feels slightly different - and not just the placement of menus and icons on the screen. The security part of this picture starts by requiring a password any time you want to install globally accessible software or do anything with privilege enough to affect other users and the core operating system.

Why do you need to type your password every time? Your explicit permission (through the password) is used every time something needs access beyond your normal account permissions. This permission is designed to be temporary, so you can be sure nothing happens without your knowledge. As a side note, the built in Linux software update program works to keep nearly all software installed on your computer current and bug-free, not just the core operating system.

On the other side of this shift is a near total lack of balloon pop-up notifications constantly asking if something is allowed. By default you do not need permission to install software that only you have access to use. You do not need permission to do just about anything you want to do in a typical computing environment like email, web browsing, word processing and other personal tasks. All this permission is given to your account when it is created and can be fine tuned as needed.

This kind of thinking gives you a personal space inside your computer where you have complete control to do what you want when you want without risk to the rest of the system. A direct result of this is that precious feeling of freedom (lack of restriction) that users seek when they bypass or disable the security features in Windows, while at the same time fully protecting other users and even the core operating system from infection. This is freedom and security that work well together. This is the result of many years of real world refinement and it shows.

While some parts of this security design can be implemented on a Microsoft Windows platform, it is not trivial and definitely not the default. This security model can only be approximated on Windows through the use of complicated and often expensive third party software.

The real solution.

So to answer the question about security, the real solution starts in your own chair. It starts by your choice to avoid software with well known security problems including everything with scripting ability - even if it is not directly connected to the Internet. It continues with turning off scripting by default in all of the software you use and only enabling scripting when you know and trust the source. And it culminates in your choice to correctly use an operating system platform with strong segmentation between itself and users without that segmentation becoming annoying or getting in your way.

For me this means using Firefox with the NoScript add-on and LibreOffice running on top of the Linux Mint operating system. Fortunately for my budget, all of this software is available for free (no cost) download or on CD through the mail for a minimal fee. I figure I have personally saved many thousands of dollars just in Microsoft Windows and Microsoft Office licensing and untold hours of improved productivity because I'm now able to focus on my tasks instead of the operating system. This is time and money I consider to be very well invested in my own groceries.

First published 2007-10-24. The last major review or update of this information was on 2014-03-28. Your feedback using the form below helps us correct errors and omissions on this page.