Michael Horowitz

Five approaches for defending a Windows PC prove their worth

June 21, 2011 4:12 PM EDT

A couple news stories here at Computerworld reminded me of some previously offered Defensive Computing suggestions.  

According to a story yesterday by Gregg Keizer, bugs in Adobe's Flash player are being widely exploited by bad guys.

The last version of Flash was released on June 15th, the version before that was released on June 5th. On June 6th, I suggested a way to defend against bugs in the Flash player, basically, using only Google's Chrome browser on Flash-enabled sites.

One problem updating Flash in other browsers is that it's a manual procedure. Then too, it may need to be done more than once depending on the browsers you use. Finally, the way Adobe notifies end users about the need to update to a new version of Flash is seriously flawed.  I list five problems with it on my flashtester.org site.

Chrome has none of these problems, it self-updates its embedded copy of the Flash player quietly and quickly. When the June 15th bug fixes were rolled out by Adobe, my Chrome browser had updated itself with the latest Flash player before I knew there was a new version. Thank you Google.

This strategy means that Flash is not available in other browsers. I continue to use Firefox at times and haven't found life without Flash to be a big deal. After all, millions of iPad users somehow manage to survive without it.

Firefox without Flash produces messages such as the one below from ft.com

and this one from youtube.



On  a few sites however, Firefox pops up a yellow bar at the top of the web page warning about needing an additional plugin to view the web page. To me, this annoyance is a small price to pay for the added security.

Anyone using the Adobe Reader version 9 or 10 has another copy of the Flash player that also needs to be updated. Adobe has often updated this copy of Flash well after updating the web browser copies.

To deal with this, I suggested back in October to use another PDF viewer, advice that I stand by.

Anyone married to Adobe, can avoid Flash issues by using version 8 of the Reader. The June 14th updates to the Adobe Reader included fixes to version 8, which shows Adobe is still maintaining it. Version 8 of the Reader is available from Adobe at get.adobe.com/reader/otherversions.

It was interesting to see that Adobe blamed hacker interest in exploiting Flash on its popularity. This is certainly true and applies to other popular software as well. Mac and Linux users benefit greatly by being lesser targets. One of the reasons I cited for avoiding the Adobe Reader is that because of its popularity, bad guys will be sure to exploit known bugs.  

The same is true of Internet Explorer which is also having recent flaws exploited left and right.

But IE has another strike against it, one that I discussed back in December: Microsoft is slow to release patches. Whatever the pros/cons of Chrome and Firefox, I believe that known bugs in these browsers are patched faster than known bugs in IE. With these two strikes against it, Internet Explorer is the worst browser for Defensive Computing.

Update: The flaw being exploited in IE, according to the Gregg Keizer article from June 17th, was known to Microsoft back in January of 2011. It took them six months to issue a fix.

In addition to being free, Firefox and Chrome offer a huge amount of extensions, are available in portable editions on Windows and run on Macs and Linux, none of which Internet Explorer can match. So, let the bad guys exploit the latest flaws in IE. I don't care, and there is no reason for you to care either.

Of course, every article that discusses a web browser mentions speed, so let me weigh in too.

Speed should not be a consideration in choosing a web browser. Safety and other features matter more. For speed, consider a faster net connection, a faster computer or an SSD. I have done each of these, and each made a huge speed difference compared to minor differences between browsers.

Finally, I recently heard about a web site offering free iPads (I wont mention the site name because I believe it to be a scam). Figuring the site was dicey, I visited it with a browser running in a Sandboxie sandbox.

The sandbox insulated the rest of the system from changes, ran the browser with lowered rights and discarded any changes the browser thought it made. As a test, I installed a browser extension which was fully functional but then disappeared when the browser was shut down.

I last wrote about Sandboxie back in April. It has proven its worth time and time again and remains an outstanding way to defend a Windows computer.

And, it's not limited to web browsers. If someone sends you a file, consider saving it to your hard drive and opening its viewing application (be it Word, Excel, the Adobe Reader or whatever) in a Sandboxie sandbox. This way, even if the file is malicious and the malware gets by your antivirus software, your system is still protected.