Researchers (OK, ethical hackers…) in a hacking contest sponsored by a reputable security research firm yesterday broke through — in under two minutes — a fully patched Windows 7 system running the latest version of Internet Explorer 8. Later in the day, Firefox faired no better.

The article is a bit technical, but if you skip over the techno-blah-blah-blah, you’ll see that these two researches essentially circumvented what Microsoft is touting as the two primary lines of defense in protecting Windows systems from becoming compromised. Here’s a link to the ComputerWorld article: http://bit.ly/cs8jP9

Reps from Microsoft and Firefox were in attendance at the contest, and things were arranged in advance that the exploits were not to be made public, and indeed the security firm who sponsored the contest bought the exploits from the contestants and gave them to Microsoft and Firefox.

But that doesn’t help any of us at this moment, when we still have work to do on the public Internet. So, what can you do to protect yourself when the software that’s supposed to protect you doesn’t?

The short answer is: “Take your time and be careful.”

Take your time to be sure that your systems are fully patched, that you are running modern intrusion-prevention (expanded anti-virus) software with updated virus definitions, and that you don’t click immediately on any new popups, warnings, alerts etc. (often used by malware to get you to bypass your computer’s protective systems). Although the exploits these researchers used were very cutting edge, there are still a lot of older, equally dangerous exploits out there that patches and security software can defend against successfully.

Be careful about where you browse and the links on which you are tempted to click. Your best friend may have sent you an email with a spicy link you are drooling to click, but you got that email because your friend’s machine has been infected with malware which is trying to spread itself by sending emails to everyone in your friend’s address book! Click that link and you’ll infect your own machine… Be careful clicking on ads, even on reputable web sites. The ads are served up by third party servers, and malware-infested ads are all the rage right now as a favored attack vector. You would think you could trust an ad on, say, cnn.com, but you can’t always.

A terrific Firefox extension that helps with ads is Adblock Plus, which has been downloaded more than 75 million times and which has a five-star rating. You can learn more at https://addons.mozilla.org/en-US/firefox/addon/1865?src=api

Lastly, recognize that Microsoft and all the anti-virus software vendors are in a perpetual game of catch-up against the bad guys. If your job requires you to be a heavy Internet user, the chances are that your machine will at some point become compromised.

And when that does happen, we are here to help. Call us at (207) 772-5678 when you are ready.

All the best,
Mark Stone, CIO

This entry was posted on Thursday, March 25th, 2010 at 8:13 AM and is filed under Security, Technology News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.