Who Profits from Security Holes?
How bad is this problem? How much junk can get installed on a user's PC by merely visiting a single site? I set out to see for myself -- by visiting a single web page taking advantage of a security hole (in an ordinary fresh copy of Windows XP), and by recording what programs that site caused to be installed on my PC. In the course of my testing, my test PC was brought to a virtual stand-still -- with at least 16 distinct programs installed. I was not shown licenses or other installation prompts for any of these programs, and I certainly didn't consent to their installation on my PC.
See a very scary video of the installations. Scary in the sense that ordinary users using Internet Explorer might experience this.
And in some related news:
With the threat of a sophisticated spyware attack looming, a renowned security researcher says the most popular detection and removal tools "fail miserably" at addressing the growing spyware/malware scourge. He found that the best-performing anti-spyware scanner failed to detect about 25 percent of the "critical" files and registry entries installed by the malicious programs.
Read the article
The only approach that I've heard about that might solve these spyware problems require the desktop and the OS to be changed quite a bit. The idea is that when a program runs, it doesn't need all the authority of the user, so let's not give it to him. So if notepad opens a file with a notepad virus, it won't be able to write system files or open network connections. Although the principle of least authoriity is well accepted in security, it turns out very few OSes actually implement it.
It turns out the usability aspects can be solved to keep security pretty simple. Check out http://erights.org for more info.