Slashdot Mirror
Microsoft: One In 14 Downloads Is Malicious
alphadogg writes "About one out of every 14 programs downloaded by Windows users
turns out to be malicious, Microsoft said Tuesday. And even though Microsoft has a feature in its Internet Explorer browser designed to steer users away from unknown and potentially untrustworthy software, about 5% of users ignore the warnings and download malicious Trojan horse programs anyway. IE also warns users when they're being tricked into visiting malicious websites, another way that social-engineering hackers can infect computer users. In the past two years, IE's SmartScreen has blocked more than 1.5 billion Web and download attacks, according to Jeb Haber, program manager lead for SmartScreen."
These are the same folks that only change the oil in their cars when the warning light comes on.
On the list of malicious files, as determined by the Microsoft Corporation:
- Google Chrome
- ubuntulinux.iso
- antivirusotherthansecurityessentials.exe
- iTunes
- *ipod*.exe
- gmail.com/index.html
1. Ubuntu
2. Firefox
3. Chrome
4. OpenOffice
5. VLC
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
"What we're doing here is VERY necessary, I mean just look at these numbers we've generated to justify our existence here a Microsoft" said Jeb Haber
I didn't realize IE was downloaded so frequently.
"Our goal each year should be to increase the number of goals we set for ourselves!"
That is a surprisingly high number, even after all these years of knowing about various rootkits, viruses, and other malware that have so persistently affected Windows. 1 in 14? That's... crazy.
And what is the economic cost of having to deal with this crap? It must be well into the billions of dollars by now.
It's also consistently depressing that inertia is such that Windows seems like it will maintain its desktop dominance for the foreseeable future. There are better OSes out there. USE ONE, PEOPLE. Please!
...if they counted in windows updates.
Why does MS even have these stats?
Are you guys even trying anymore?
"About one out of every 14 programs downloaded by Windows users turns out to be malicious, "
Windows or IE?
If windows, how are they collecting these stats?
I've been saying this for years. Hell. it's in my Sig.
Eventually, software would get so security conscious that it would be easier to fool the user rather than hack the software.
In Soviet Russia, Trojan exploits YOU!
And this, children, is why the iPhone is a walled garden.
Comment removed based on user account deletion
We need the stats for Apple in order to make a comparison. Does anyone even know?
He who knows best knows how little he knows. - Thomas Jefferson
Windows XP.
Yours In Miami,
K. Trout
Despite Microsoft's attempts to completely nanny people, they've almost taken it too far ... which means that people start ignoring/disabling the warnings.
The other week I launched IE on a new server install ... the very first warning message is "You are about to access the internet, and people can see what you do" -- which gets a "do not show me this again" before I dismiss.
As soon as you submit into a search engine, you get told "You are about to submit something on the internet, are you sure" -- which also gets a "do not show again".
By the time I tell it I don't want it to save passwords, autocomplete forms, and that, yes, I really do want Google as my default search ... well, I've stopped listening to anything "helpful" IE is telling me.
I rank the utility of the stuff that MS has "designed" to make IE safe right up there with the error messages that amount to "something bad has happened, contact your admin" --- oooh, that's informative. And, since I'm the admin ... give me some f'ing idea as to what went wrong so I can try to fix it.
Microsoft build in really pedantic and lame safeguards, which get turned off and/or ignored for the rest of time since they don't actually do anything useful.
Lost at C:>. Found at C.
Seriously only 5% of people ignore warnings? I would have to say about 75% of people I have seen download regardless of if you say "warning this will completely reduce your computer into a pile of steaming dung" in exchange for a screensaver with kittens, and then if you cut it down from that to IE users... well then I'd put that number closer to 95% would ignore the warnings.
Your joke has a point. Any Free application that isn't digitally signed with Authenticode will get flagged by IE's "SmartScreen application reputation" filter. And as I understand it, existing Authenticode CAs sell certificates only to businesses, not to individuals.
and yes that means I use IE. But, when it consistently tells me things like Downloader_Diablo2_enUS.exe can harm my computer after downloading it from battle.net I tend to not believe in its ability to really determine if something is malicious or not. As always, proper instruction on internet safety will go farther than a security feature that any idiot can bypass.
that's why i download 13 apps, and skip the malicious 14th app....
Perhaps this would be a good enough reason for Microsoft to spend some of their considerable wealth to implement something akin to a repository for trusted software. Apple is already going in this direction with the App Store, and Linux users have been enjoying command line installs of trusted software for years. I understand that it would be a bit harder for Microsoft because they have to support all sorts of legacy BS, but even a gradual transition (like what Apple seems to be doing) would be better than nothing. I guess that installers would have to add their own repos, and that people would try to make it a vector for malware, but it should be easier to police that as opposed to trying to figure out if whatever random crap you download off the internet is legit or not. Plus, then we wouldn't need to have a dozen different update mechanisms start on every reboot. I just got Win 7 recently, and I actually kind of like it, but I really miss being able to run 'sudo apt-get upgrade' to update everything.
So does this count include windows updates?
The actual number surprises me as I would have thought that it would be higher given how many people fall for social engineering, and want free screen savers and the like.
Time to offend someone
Certainly I don't understand an high informative mod for something that is categorically false.
It's a joke. Slashdot awards karma for "In" moderations, does nothing for Funny, and takes karma away for Overrated. If moderators fight over whether a comment is Insightful or Overrated, no damage happens to the poster's karma. But if moderators fight over Funny vs. Overrated, the poster loses some karma every time it's moderated Overrated. This has caused some moderators to try using Insightful instead of Funny.
SmartScreen doesn't throw up a warning for #2, #3, and #4 on the list because they're digitally signed by Mozilla, Google, and Oracle respectively. But a lot of free programs aren't digitally signed because their authors can't afford to incorporate to get the Authenticode certificate to sign them.
And how did they determine this? Does this mean they are monitoring all usage of Windows continually?
I read your journal article. So with your four rules in mind, how is an operating system supposed to distinguish between A. an intentionally malicious computer program and B. a safe program that happens to have been developed by an individual as opposed to a business?
their own patches and sneak-updates and call-home code they shove to their users ?
Read radical news here
The safest way to cruize the net is to get off the Windows drug. I have been preaching that to alot of my friends and customers but they have treated me like Ron Paul at a Democrat Dinner. I personally consider MS products to be the "Great Beast" of Computers. All the eye candy they push out to customers and agreements on new computers sold seem to mesmerise these "sheeple" and they continue to spend vast amounts of money to companies to fix their computers. Moving to Linux is the best way to get away from all this virus stuff. Every customer I have moved to linux has ceased to have any problems with malicious software attacks. Sure, Linux has its problems but for the most part any problem you might have with linux running on your pc is minor compared to the pain of MS products. I bet most infections come in as kids ignore warnings as they are too busy trying to load a new game or video from sites like facebook. Nevermind the warning - I just want to see this video or play this game!
"IE's SmartScreen has blocked more than 1.5 billion Web and download attacks" How many of these were actually factually malicious? Perhaps that is why people are ignoring the warnings? You can block (nearly?) 100% of malware by simply being Amish
I think they also hacked the statistics system!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
Any Free [gnu.org] application that isn't digitally signed with Authenticode will get flagged by IE's "SmartScreen application reputation" filter [msdn.com].
What is your source for this claim?
I already linked my source in my grandparent post. If you want title and author before you click through: "'Stranger Danger' - Introducing SmartScreen® Application Reputation" by Ryan Colvin, posted on 13 Oct 2010 3:03 PM. From this page:
Is to block every 14th download, thus making Windows malware free!
MS is right about one thing. The levels of malicious stuff around has never been higher. Looking at the comments above, I notice lots of mocking about windows, microsoft and their users.
One of the interesting things about the internet is noting how much malware comes from windows hosts and in the internet in a general sense - how much is shipped via compromised / rooted *nix boxes.
This garbage might be aimed at the windows platform, but its not the only one being circumvented. And thats a harsh truth if you happen to be sat there on a Linux box thinking the sun shines out of your own ass and making the grand assumption that your platform is superior to 'them'.
About one out of every 14 programs downloaded by Windows users turns out to be malicious
Although the team admitted that this is mostly due to all non-Microsoft software as being labeled as "Malicious". (to microsoft)
Their anti malware program flagged some cheats I downloaded as trojan (no they were not) and heck some program I made (yes I do not program malware). I think it simply find some hook code for low level memory hook and simply mistake it for a malware.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Please, either use the word or the number. 1 in 14, or one in fourteen.
I've not encountered a single "malicious download" for more then a decade using reputable sites and common sense (and I'm using the term malicious in a very broad sense, including many things more innocuous then actual malware), if people download random files such "song.mp3.exe" or "FileRenamer Pro DX Gold 2011" this tells more about the user base then about the actual amount of malicious content out there, it looks fishy to me that they even *have* this data in the first place, if this comes only from IE users, well IE is reknown for garnering a less security aware userbase then other browsers (if we overlook corporate use, where people shouldn't be downloading random files anyway), many people stopped using IE specifically due to security risks such as promptless unsigned ActiveX installation being enabled by default originally, even if the browser is far more secure nowadays, I haven't yet heard of a single person that went back to IE after dumping it.
There is SOO many warning here and there that people don't even bother read them anymore and click yes yes. I'm part of the those people that get annoyed by "security message" that bug me all the time.
If the site is confirmed for sending virus, then a warning should be display, else it should not.
At least 1 in 14 programs is from A) a file sharing site, B) a porn site, and C) an email link. I have no data, but my experience on fixing computers is that this is the bulk of the problem. The rest are adware sites.
I don't get them myself mainly because, I use Gmail (no spam), Chrome w/ ad blocking extension (no ads), Pandora (no file sharing)... ... I just have to be really careful about using quality porn sites.
I8-D
Warning: 4 out of 5 statements of "fact" from Microsoft are completely made up.
.nosig
"Reputation" is based on more factors than "digitally signed."
But for a new application or a new version of an application, the only clear way that I can see to give it any reputation in the first place is to sign it. Otherwise, the first few dozen people who download it will be pressured to delete it immediately.
Big Bloody Surprise THAT is!! Freaking Windows warns you about EVERYTHING. "If you do XYZ, your machine may be at risk." You can hardly turn around without Windows warning that it'll put your computer at risk. Tell that four or five hundred times to the average user, and then profess surprise when they start to ignore the warning????
Your Servant, B. Baggins
...stupid people who download this malware.
Just last month I was warned putty.exe was found in my system. Later tinyproxy was discovered. And I went even as far as installing VNC Server!
It isn't very long since I disabled the antivirus to download actual worm to the computer. Like, the guy got a webpage infected with some nasty stuff, and it embedded links to self in headers of the PHP files. So, to remove it, I had to download the PHP, edit out the infected lines and upload it back. But no, downloading php scripts (to a computer without a webserver or PHP interpreter) triggered a virus alarm and I would not be allowed to save the infected files. So I disabled the antivirus and downloaded the infected files right to my desktop!
Microsoft security engineers must really tear hair off their heads because of reckless users who allows this kind of malware on their machines.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
The fact that it makes news when approval is rescinded means that it's exceedingly rare. I can only think of a few notable incidences - the "I'm Rich" icon/app, a publisher gaming the ratings system, and something more recent that escapes me at the moment.
It was a Commodore 64 game where the player could press some keys to reboot the emulated C64 computer into the REPL of ROM BASIC. Apple deemed the ability to enter and run BASIC programs a violation of section 3.3.2 of its iPhone Developer Program License Agreement.
I still get frequent messages on microsoft's pages saying "if you see the yellow bar with a warning at the top of the page, right-click and install the control". For years they had pages that said "you will get a certificate warning when you press submit. click ok to ignore it and continue."
And that is arguably a good thing. I'd say most users would want to be alerted if they were one of the first few people to download some particular executable.
But that's an aside. Your original claim was that *any* free software not digitally signed will be flagged. And that is a gross lie.
If you don't know where you are going, you will wind up somewhere else.
Or in more general words, install the application to the user's profile, home directory, or whatever your operating system calls it. But that would require each application to be designed for installation to the home directory or to removable media; some are, but others are not. In addition, packages for Debian and Ubuntu don't come with options to install the application into the user's home directory, and building all applications from source would require the administrator to sudo apt-get install build-essential just to get GNU Make and other build tools onto the system.
Nearly every PC game made doesn't really need admin privs at install
I thought PC games had to write to the %ProgramFiles% folder, which requires administrative privileges, in order to install. For example, the support page for World of Warcraft states that "We cannot support the game on a non-administrator account." Or should programs be installing themselves in %APPDATA% instead?
Interesting point and I'd like to read that professor's work, but I don't believe online services are flourishing for security reasons, but rather that it's coincidental from the average user's perspective. The whole point of this story is that people are not aware and knowledgeable enough about technology and security, so I doubt they factor it in highly enough to use it in their decision to chose an online service.
Security is rarely mentioned in the list of features of these services: nothing in Flickr, Picasa, or DropBox other than to discuss how files you upload can be shared selectively rather than be public. DropBox doesn't turn up anything when you query for "virus" in the help section (and even suggests disabling your anti-virus to solve a connectivity problem). Even Google Docs which has drawn much concern on data security neglects to reassure you that documents you upload are properly safeguarded, and doesn't guarantee that downloading an MS-Office version of a document is devoid of malicious code which may have been uploaded by whoever shared it with you. There's far more concern assuring you that they perform backups and that your data won't be lost. Twitter mentions security only in the context of safeguarding your account from hijacking. Facebook's "privacy" aspects are obviously not worth mentioning and where they mention it it's due to bad publicity, not a way of attracting users away from MySpace by being a safer platform. It has taken major Twitter/EC2/PSN outages for people to even realize there's a risk in relying on online services, which still isn't being discussed in these feature sets- public understanding of availability is as meager as security.
There's certainly a risk and possibly even this hidden cost you're suggesting in using proprietary online services, but I don't see that they are being used to avoid downloading an executable file, or otherwise provide any such protection against browser-based attacks. To the contrary- all of the above popular services except for Google Docs actually encourage or even require (DropBox) users to download binaries (in the case of Facebook/Twitter mobile apps), and Facebook users are clicking random links to the same kinds of nonsense they had been getting in their email.
The problem is that Windows (and MacOS and Linux) is a "Wild West" operating system where anyone with admin access (ie., most home users) can trash the whole operating system. We're going to have to move to a model where the OS provides each application a sandbox, and nothing can modify the operating system, and no application can directly modify any other application. The band-aid security that's out there will never be adequate.
I'd say most users would want to be alerted if they were one of the first few people to download some particular executable.
With the release early, release often mentality common to free software, each individual application version will have far less time to build reputation. And with the narrow user bases of some free applications, each user is more likely to be "one of the first few people to download" each version. These are the problems that certificates were supposed to address by allowing reputation to propagate from a developer's other applications and from older versions, but well-known Authenticode CAs have tended to be unfriendly to individual developers. So what best practices do you recommend for me, an individual developer, to earn reputation for the binary packages of my own free software? Or should I just include an excuse on the download page about why each version of the application has not yet had a chance to build a reputation?
Most programs should run in an environment that has far fewer privileges than the user running it. Especially games. All a game really needs to talk to are its own files, the screen, the input devices when it has focus, and its own Internet server. Those are essentially the restrictions under which a web page or Flash program runs.
Anything which needs more privileges than that should either have to be signed by somebody to indicate responsibility for the program, or the entire system has to be put in "developer mode", with additional debug facilities and logging enabled.
Microsoft has, at least,enforced that model for drivers. Doing it for applications is the next step.
I love that analogy because those of us who resist FaceBook and deal with the marauders are knights.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
For example, email. On a personal level many of my friends and family have stopped using it and require me to communicate via Facebook. The problem for me is that I don't have a Facebook account. The problem for them is that they don't want spam.
Huh? The vast majority of what shows up on Facebook is spam. OK, maybe not in the traditional sense given the spam is whatever inane thing someone decides to post rather than a Viagra ad. Oh, you mean the private message thing that no one seems to know how to use because they post conversations in their statuses?
This post comes with a double-your-money-back guarantee!
Any offense taken to this post is at your sole discretion.
Comment removed based on user account deletion
[GNU/Linux distributors] do, however, have various practices in place to put up a barrier between the hostile network and the dumb user, and these things teach the user it's better to go to the trusted repo first
The historical problem here is that GNU/Linux distributors have historically been reluctant to allow non-free software into their repositories. Not all applications can be made free. It'll take a while to see whether Ubuntu can succeed in bucking this trend.
The majority of downloads on our Windows computers seem to be Microsoft patches, so 1 out of 14 being malicious sounds about right.
I don't do extremely much downloading on my Windows machine, but I guess every 14th download might be from Windows Security Center.
They will not be pressured to delete it, they will be strongly encouraged never to install it in the first place. After all, once it is installed (in Administrator rights mode) any damage has already been done. The horse has left the barn and the barn is likely on fire.
And this is a good thing. Unfortunately, most people don't pay any attention to this. If they did botnets would be smaller.
Win95
WIn98
WinME
Win2000
WinXP
Vista
Win7
Every single one... allows someone else to take over your PC, do whatever they want with your hardware, hold your personal data hostage, and sabotage your credit, steal your money, delete your data, or ruin your life.
It's not the "downloads" that are to blame. It's the horrible product Microsoft has never fixed in over two decades of "software design."
E
How about if the individual signs the executable? With a tracable identity at stake people are less likely to do criminal things. OK, it isn't 100% foolproof because some malware (I think around 5%) is signed, but I'd be happy with 95% of it disappearing off the face of the Earth, wouldn't you?
eom
1 Linux Debian
2 Firefox
3 Libreoffice
4 Blender
5 mplayer
6 pan
7 kate
8 latex
9 xbmc
10 okular
11 kde
12 Thunderbird
13 gimp
14 Windows 7 --- gotcha!
They will not be pressured to delete it, they will be strongly encouraged never to install it in the first place.
I apologize for my previous ambiguous statement. By "delete" I meant "delete the package before installing it", not "uninstall it". So how should an individual developer acting in good faith amass reputation?
I don't know how my eyes saw the MA in malicious as DE, but I read the headline as "One in 14 downloads is delicious!" Dang. That sounded yummy.
We're going to have to move to a model where the OS provides each application a sandbox, and nothing can modify the operating system, and no application can directly modify any other application.
Like, say, Linux with SELinux or Apparmor?
The real problem is that sandboxing doesn't work in the general case. For example, if you want your web browser to be able to install plugins, then your sandboxing has to allow it to install plugins, which means that an exploit can install a logger to grab your login passwords and credit card numbers. To work around that you'd need to handle plugin installation in a separate executable which was allowed to install them but not to do much of anything else, which requires rewriting your browser and adding extra hassle to Joe User who just wants to watch that funny dancing cat video that requires the new Silverflashlight plugin.
Similarly, if you want your word processor to be able to edit arbitrary text files, then it has to be able to edit /etc/hosts and /etc/passwd. If you limit it to specific directories then users will whine when they can't edit a document they saved in some random location.
Just admit you're arguing the wrong point
I hereby apologize for having argued the wrong point. Please allow me to rephrase: Almost all existing packages are designed to be installed by root.
How about if the individual signs the executable?
Which would depend on finding a CA willing to issue such a certificate.
"How do you know the difference between a false positive and a real warning? You can't."
You pretty much can. There are many way for this. Especially when the so called scanner *name* you the Trojan you can look up for it, run into WM, decode what's in the exe, search what is the hash which is recognized, look for activity you cannot trace to process you have etc...
"You're infected son", no I am not. But nice playing.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
Heck, I blocked that many by myself a couple years ago. Switched to Linux on my home machine, Firefox with noscript ON, and Chrome on my work machines. No more MS updates or weird IE toolbar launches.
Oh wait. I forgot to put on my flameproof underwear before I posted that...
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
First, you can't trust the user to distinguish the malicious sample from the legit sample (unless he's in that 1%). They'll just run both of them. With that in mind, the OS itself needs to be able to distinguish the samples, and the only distinguishing factor an OS itself can have against a malicious program is a good malware scanner which can block known malicious samples before the user gets control. The problem is that this isn't the best solution since most malware today is virtually 0 minute and most AV defenses relies on defs that can't catch the new entries. I've seen some scanners that take heuristic, cloud, and behavioral approaches to malware, but they tend to false positive and get the user more involved than they should be in order to make a solid decision, which based on the four rules is a bad thing. In a perfect world case, A would get removed automatically while B would run. In our non perfect world, both A and B may or may not run. A would run because the scanner doesn't know it's a virus (in which based on the 4 rules it runs) or B would not run because heuristics picked it up and the user clicked yes to quarantine.
Another approach I've seen is the walled garden approach most mobile phones are taking, where you can only download executables from an approved store. While this centralizes software downloading and eliminates unapproved downloads such as malware, it's also not foolproof since viruses can sneak in the app store such as what happened to Google a few months back as well as give you a real headache at home when it comes to running a self created internal program (which leads to "jailbreaking", then to a possible malware infection), but for a corporate situation, this might be the best choice since the IT dept probably has a 1%er somewhere in it calling the shots as to what gets executed or not, so they can allow Program B, while the policy blocks everything else not needed, which includes A.
Either way, the point to the rules is that there isn't really a good solution to them. All you can do is mitigate the problem to make it happen less through proactive approaches and security simplification to the point that it's either automated or practically automated. A great example of this are the three most popular browser plugins out there.
1) Java
2) Actobat
3) Flash
Java does security updates all wrong. It expects the user to click on an taskbar icon to initiate the update with no auto update option available, but since it's not a button in front of them they never click on it, so it never gets updated, so Java becomes a big time infection vector for malware since chances are it's out of date. This phenomenon almost prompts me want to make rule 3.1) When they need to click on it, they wont.
Acrobat has both a taskbar icon and an option to install without prompting. The best option is to set the updater to just install the update no questions asked but it defaults to the taskbar icon. see Java to see why thats bad.
Flash does it mostly right but is implemented kinda wrong. At startup a box pops up which asks you to update. while this isn't a fully automated solution, it at least has a button, which they will click on. the only problem is the startup portion. if they leave their computer on for weeks then they won't see the update for weeks.
In Soviet Russia, Trojan exploits YOU!
How does Microsoft know which site hosts Malware. I think when you click on a link your browser. Your browser checks with the browser provider or AV software company (mozilla | microsoft | opera | symantec | mcaffee) through a locally installed proxy to see if it is on a blacklist then it allows or warns you. (Microsoft | AV Companies) Know what other users have installed and had problems with.
Social engineering gets easier when users have no idea how their devices work and complexity has been piled on complexity over the years. My guess is that many (Apple | Microsoft | Nokia | Google) employees would be just as puzzled as you or I if asked what a bit of software does. Add millions of lines of code, encryption for DRM and only a handful can understand it.
Again security versus ease of use. Either learn to program and insist on only installing from source code over SSL w/signed compiler OR allow someone else to "mind the store" track where you go and what you download. .NET, C#, C, C++, Python, PERL, Java, Flex, CUDA, DirectX, Differential Calculus, Ciphers.
(Ever tried to build a compiler from source code without another compiler? Asked for an SSL Cert be sent to you via snail mail. Probed and vetted all the device firmware in your machine?) See: KLOC, DEP, Signed Binaries, TCP, UDP, DNS, TLS, HASH, MD5, SHA, ASM,
I have heard there will be a pop quiz in "401:Building your own Data Infrastructure Network " Allow or Deny?
15TW = 15,000 Nuclear Reactors. (Approx. one accident a month.)
Yes, that's the whole point. There needs to be a complete and total paradigm shift in the way software runs. And plug-ins are one of the biggest problems. So you have to restructure things. The plugi-n becomes a child process that can only write to its designated child window, and can only access data that is specifically passed to it. But running a plug-in in the same program space as the parent program must be strictly forbidden. It's going to be inconveniant at first, but it needs to be done.
As for the word processor example, if /etc/hosts and /ect/passwd are OS files, then the OS must provide a specific mechanism for modifying them. Or maybe there shouldn't be a mechanism for modifitying them. The word processor only gets to edit files that exist in user storage space. So if a rogue program does get installed it can trash your data and run wild for a while, but it will still be a trivial matter to remove it from your system.
As it is, tonight I'm going to be fixing computers for two family members who trashed their systems this past week just from visiting websites that served them malicious flash based ads (at least, that's what we suspect the infection vector was).
See my comment above, it's called a WSUS server and accompanying Group Policies.
And the answer to all of the pop quiz questions is: Deny.
Theodore, (too lazy to log in because I'd have to first log into a password vault to get my password for my 2nd password vault.)
Perhaps this 5% of users continuing with the download are people downloading cracks/keygens that are too often flagged as threats.
I know it happens to m.. my cousin Vinny..
re: "he new Silverflashlight plugin"
Nice, very nice. But why did you leave off the ".js"
There's an economic professor who wrote some books, name I forget as I type (please reply if you know?), his last was about the idea that peasants would live behind a kings walls in exchange for protection against marauders. The price was taxes and serfdom.
Welcome to the age of digital serfdom?
Actually, put that way, a walled garden doesn't sound so bad.
It is dangerous to be right when the government is wrong.
So a company that sells 'digital condoms' claims everything on the web is out to get us and is bad, and we must be protected from said 'badness' or we will all go to digital hell.. i should believe them, why?
---- Booth was a patriot ----
11/14 downloads are porn.
Windows users have been conditioned to go to $RANDOMWEBPAGE to download "free" software
And Linux users can be conditioned to go to $RANDOMREPO to download "free" software.
There is nothing stopping you from adding third party repos.
And therefore nothing stopping a Linux user in the sudoers group from adding a PPA full of malware. And we're back to square one: social engineering.
erdraug: One in 14 computer users is computer illiterate.
Um.. Its not Microsofts job to make it easy for some random loser to sell or distribute his/her software.
Then can you recommend a set of steps for a loser to become no longer a loser?
Here is a test for you if you have bandwidth and can stop laughing after a logical period. Obviously it is a FIRMWARE UPDATER, don't actually run it!
Help doc (from a company who is very close to MS and others)
http://seagate.custkb.com/seagate/crm/selfservice/search.jsp?DocId=215451
Exe file (as I said, just don't run it!)
http://www.seagate.com/staticfiles/support/downloads/firmware/MomentusXT-ALL-SD25.exe
Idiots didn't even create a mechanism to alert false positive so we, "dumb users!" ignored the warning after doing a Kaspersky and Virustotal scan and run it.
See subject-line 1st, & then this data from a respected source for known security vulnerabilities unpatched (and, specifically to you, "funny boy"? Pay attention to IE9 below!):
---
Vulnerability Report: Microsoft SQL Server 2008: (04/29/2011)
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (04/29/2011)
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Exchange Server 2010: (04/29/2011)
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft SharePoint Server 2010: (04/29/2011)
http://secunia.com/advisories/product/29809/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (05/01/2011)
http://secunia.com/advisories/product/34343/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Office 2010: (04/29/2011)
http://secunia.com/advisories/product/30529/?task=advisories
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Virtual PC 2007:
http://secunia.com/advisories/product/14315/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Explorer 9.x: (04/29/2011)
http://secunia.com/advisories/product/34591/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Visual Studio 2010: (04/29/2011)
http://secunia.com/advisories/product/30853/?task=advisories
Unpatched 17% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft DirectX 10.x:
(04/29/2011)
http://secunia.com/advisories/product/16896/
Unpatched 0% (0 of 3 Secunia advisories)
Vulnerability Report: Microsoft .NET Framework 4.x
(04/29/2011)
http://secunia.com/advisories/product/29592/
Unpatched 0% (0 of 3 Secunia advisories)
Vulnerability Report: Microsoft Silverlight 4.x: (04/29/2011)
http://secunia.com/advisories/product/28947/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x:(04/29/2011)
http://secunia.com/advisories/product/6473/
Unpatched 0% (0 of 4 Secunia advisories)
Vulnerability Report: Microsoft Windows 7: (04/29/2011)
http://secunia.com/advisories/product/27467/?task=advisories
Unpatched 8% (5 of 65 Secunia advisories)
---
AND, of those 5 vulnerabilities, yes... 2 are still "remote". HOWEVER, they have EASY work-arounds (basic "don't be stupid" stuff everyone OUGHT to practice & be aware of).
They can be avoided by not just downloading & running "anything" etc. (being utterly stupid in other words, or just ignorant (which in the case of a child, I could excuse (
1 in 2 downloads from Microsoft is maliciously collecting data on your download habits...