Is the guideline: don't open email attachments or execute downloads or run plug-ins (Flash, Java) from untrusted sites enough to avert infection?

0

I'd like to know if the following is enough to avert malware as I feel that the press and other advisory resources aren't always precisely clear on all the methods as to how PCs get infected.

To my mind, the key step to getting infected is a conscious choice by the user to run an executable attachment from an email or download, but also viewing content that requires a plug-in (Flash, Java or something else). This conscious step breaks down into the following possibilities:

  • don't open email attachments: certainly agree with this. But lets try to be clear: email comes in 2 parts -the text and the attachment. Just reading the email should not be risky, right? But opening (i.e. running) email attachments IS risky (malware can be present in the attachment)

  • don't execute downloads (e.g. from sites linked from in suspect emails or otherwise): again certainly agree with this (malware can be present in the executable). Usually the user has to voluntary click to download, or at least click to run the executable. Question: has there ever been a case where a user has visited a site and a download has completed on its own and run on its own?

  • don't run content requiring plug-ins: certainly agree: malware can be present in the executable. I vaguely recall cases with Flash but know of the Java-based vulnerabilities much better.

Now, is the above enough? Note that I'm much more cautious than this. What I'm concerned about is that the media is not always very clear about how the malware infection occurs. They talk of "booby-trapped sites", "browser attacks" - HOW exactly?

I'd presume the other threat would be malevolent use of Javascript to make an executable run on the user's machine. Would I be right and are there details I can read up on about this. Generally I like Javascript as a developer, please note.

An accepted answer would fill in any holes I've missed here so we have a complete general view of what the threats are (even though the actual specific details of new threats vary, but the general vectors are known).

therobyouknow

Posted 2014-06-04T08:03:47.540

Reputation: 3 596

Question was closed 2014-06-06T16:17:37.720

Dave thanks very much for your comments. Note, I said "is the above enough", didn't use the word big though, but I know what you meant, I think. – therobyouknow – 2014-06-04T08:22:30.050

Answers

1

Yes, Flash and Java (via the browser) have been and continue to be exploited for malicious scripts. However, this can happen without the users consent. See Drive by (download/cache) (Although I think donwload cache is what you're going to be more interested in).

I guess some one can manually install the program, but don't forget other things such as plugging in USB sticks/CD's etc (some OS's don't allow auto run, some do).

In regards to emails, clients have different levels of security... you can run javascript in some email clients but not in the latest 2 or 3 releases of MS Office, for example... So, it may not just be the attachment you need to worry about (however, I'm not saying this will execute a virus, just that it may run a malicious script. Maybe it reports back information that makes your PC identifiable and as you visit a certain site the information can be used).

You also need to be cautious of attacks over a network. Even if you are very cautious, someone else on the network may not be, execute a virus from their machine which spreads over the LAN. Your 3 points will not save you in this case.

Since you mention javascript as a single language, I'll point out that attacks can often occur with multiple technologies.. Again, using the Drive by cache example, where the malicious attack could be a combination of javascript and swf to execute some VB. The javascript to reference an evil place or thing, the swf file to execute the evil!

In regards to the advice by the media, typically, I ignore it. If you need to know, ask questions on sites like SU, or https://security.stackexchange.com/ . The problem is, media scares people etc because IMO they often (not always) are just reporting on something they're told... And the detail requires it to be general. How can they give advice on this... Think about it, there used to be just virus's... Then trojans... Then worms. Now Malware. Now scareware. My ransom-ware. Now more'ware .

Dave

Posted 2014-06-04T08:03:47.540

Reputation: 24 199

+1 thanks Dave Rook. I really think that the some of the media's advice on untrusted sites is inadequate - they don't always specically describe what the threats are there. – therobyouknow – 2014-06-04T08:22:12.500

Thanks for reminding me of the "Drive by download" - it's this that I'm particularly interested in: I'd like to know of concrete cases where a download has happened on its own without the user clicking to agree to a download and then agreeing to run it. – therobyouknow – 2014-06-04T08:32:22.987

The wikipedia entry for Drive by download has sparse details of cases at the moment. – therobyouknow – 2014-06-04T08:38:46.747

@therobyouknow, that is what Google is for :) However, I updated the link in my post, click on it, you'll see a real life example and more detail – Dave – 2014-06-04T09:22:27.707

Accepted. Thanks for the link update - that's a good link, had a read. And there are some related answers on the right as well. – therobyouknow – 2014-06-04T09:47:21.953

Asked: 2014-06-04T08:03:47.540

Viewed: 95 times

Active: 2014-06-04T09:42:10.737