German office for IT security tests vulnerability of Windows systems
The German Federal Office for Information Security (BSI) previously recommended that users should keep their Windows systems up to date, should ideally use Google Chrome and should avoid using Java at all if possible. The efficacy of these simple protection measures has now been demonstrated in a study carried out by the BSI. It used two different Windows systems to visit a total of 100 web sites hosting drive-by downloads (malicious code which spreads primarily by exploiting security vulnerabilities).
One system had been configured as described in the BSI's own recommendations for secure Windows usage. The other was configured, as many computers are, with Windows updated to the latest version via Windows Update, but with Adobe Reader, Flash, Java and LibreOffice versions which were at least a year old. In addition, instead of Chrome, the second system used Internet Explorer 9 as its default browser and, rather than running in a restricted user account, ran under an administrator account. On both systems, anti-virus protection was provided by Microsoft's free Security Essentials (MSE) software.
The results speak for themselves, with the vulnerable system picking up 36 infections from visiting infected websites, whilst the system configured according to BSI recommendations picked up none. In 10 cases, security vulnerabilities on the vulnerable system were successfully exploited, but infection was blocked by MSE. On the secure system, the absence of security vulnerabilities meant there was not a single successful attack. The BSI also tested a Windows XP system running IE6 which had not been updated to the latest Windows version and was not running anti-virus software. It picked up 88 infections.