Drive by downloads and UAC

Factual Questions
1

As the de-facto tech person in the household I have to understand this. I need to know if I set up an administrator account on my PC and then only use regular user accounts for all web browsing, am I safe from malware?

A “drive by download” is malware that you pick up by visiting a web site even without giving it permission to put the bad stuff on your computer.
Quote:
Originally Posted by McAfee Site
Gone are the days when you had to click to “accept” a download or install a software update in order to become infected. Now, just opening a compromised web page could allow dangerous code to install on your device.
You just need to visit or “drive by” a web page, without stopping to click or accept any software, and the malicious code can download in the background to your device.

The User Account Control (UAC), according to Wikipedia
Quote:
aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system.
The UAC is responsible for the “Do you want to allow the following program to make changes to your computer” message you get when you have this set up and are not browsing from the administrator account.

So, if I am browsing on a user account and I hit a bad site, will I be protected so long as I don’t agree to the change (which requires I put in the administrator password)?

Needless to say, my anti-virus software is up to date (although it seems it wouldn’t matter) and I try to practice safe browsing.

2

That second sentence should say “safeR from malware.” (Than if I don’t do this at all.)

3

Bumping before letting it die an ignominious death. The first page filled so quickly on Monday.

4

The main malware website was the “codec” downloader.
“you need this codec , so agree to install this”.

But yeah its safer for the user is not administrator, and doesn’t know the admin password.

The anti-virus should also scan all downloads that the web browser does…
The old anti-virus only scans files as they are loaded from hard drive.

5

Not in the least. For example, there is a new Flash exploit in the wild. (Note that this kind of exploit doesn’t even need admin access to monitor your web surfing and steal logins and such. It is acting as “you” and can monitor your web activity just like you could.)

Programs have holes. New ones are being discovered all the time. MS, Adobe and others will forever be playing catchup. You will never be safe.

6

Yeah, that’s why I amended my post to qualify the “safe” to “safer.”

I get that there are vulnerabilities and if the OS doesn’t get you, one of the add-ons might. Still, in doing everything I can, I was rather hoping (against hope, I see) that I could cut down some instances by theoretically stopping the regular user account from being able to install things.

7

Computers are like sex. You can only really be safe if you’re celibate.

Celibacy -> Choosing partners -> Protection -> Regular checkups -> Emergency pills

is sort of like

Not using computers -> Browsing safe websites -> Antimalware -> Scans -> Malware removal, reformatting

Security comes in layers. UAC is just another layer alongside your antivirus, firewall, and antimalware software (often, they get rolled into one). UAC does offer some protection, but there have been exploits that can bypass it, so it’s not perfect. And IE and Chrome both do some internal sandboxing, offering additional protection.

In general, yes, UAC + not using an admin account will make you somewhat safer, but it also depends on how much stuff you actually keep on your local computer versus your online life. Personally, my entire existence is stored on Google’s servers – there’s nothing the least bit valuable on my computers, but if a keylogger stole my Google password (which it might be able to do with or without UAC, and probably without admin rights, just by scraping the password field through Windows API calls – those black asterisks or dots only serve to obscure your password from other humans, not from the computer itself or other programs)… well, that’s going to be a lot harder for me to fix than just getting another computer.

So, if most of your valuable stuff is on your computer, yeah, consider doing that. And use IE (the latest version) or Chrome, both of which have better security models than Firefox and most other browsers.

If your valuable stuff is online, you can do all that, but also think about enabling two-factor authentication (meaning you’ll need to type in a one-time code, such as from an app on your phone) in addition to a password, or tying your account to your phone number to aid in account recovery, etc.

Also, put your browser into Incognito/InPrivate/Safe Browsing mode whenever you visit questionable sites – porn, torrents, etc. This makes them use a blank temporary profile so other sites can’t scrape your cookies, saved passwords, history, etc. as easily.

8

Is the quote in the OP from this blog? https://blogs.mcafee.com/consumer/drive-by-download

Does anyone know of any such website, where all you need to do is visit it and something will automatically get downloaded and installed? Or does it only refer to automatically displayed media content such as PDF or Flash that exploits vulnerabilities in PDF readers/Flash players?

9

Yes, the setup you are talking about will prevent driveby downloads. But so would just running as an administrator with UAC and then clicking to cancel if something tried to install. For a situation where you can’t trust the primary user, it’s not a bad idea. But for anyone who knows what they are doing, it probably won’t help much.

The exception is if the software actually exploits UAC itself somehow. Microsoft admitted at one point that this was possible; however, I’ve not really seen such an exploit in the wild.

I personally do not bother having my parents use a limited account. They know better than to agree to install anything they don’t recognize. I do occasionally have to clean up some bundleware (that software, like toolbars and crap, that sometimes comes with new software), but otherwise I’ve had no problems.

Granted, I do this because I know my dad likes to install games, and quite a few are not set up to properly install under a limited account, even though it should be possible. If no one else in your household does a lot of installing, a limited account probably won’t be enough of a hassle to justify not using one.

10

It’s not limited to third-party plugins like Flash/PDF (and don’t forget Quicktime, Java, etc.), although those are common vectors. Others include image libraries (PNG/JPEG/GIF), Firefox/Chrome extensions, Windows cursors, and sometimes just the browsers themselves.

Take a look at the Pwn2Own hacking contests to see what has been done before. Those are just the tip of a really big iceberg.

11

Only in the sense that you will get a prompt immediately asking if you want to download something, with instructions on the page telling you to Run the software. I’ve never seen a true downloader exploit that didn’t use another plugin to pull it off. The ones that don’t use plugins are almost all really trojans that trick the user into installing them.

There just isn’t a reliable hole in any web browser that lasts long enough to be widely exploited anymore. Unless you aren’t using the latest version of your web browser, that browser is probably the strongest link in the chain.

Note, I’m talking about stuff in the wild, and not the stuff figured out in contests. Those contests pretty much exist so that the browser developer can patch up the discovered exploits.

12

Understood of course, I only meant those as examples. Were the image ones common in the wild tho? You’d think that this kind would catch just about anyone, yet I’ve never heard of any global epidemic of web surfers falling victim to it. Did they work only in very specific circumstances?

Interesting, thanks.

14

The antivirus and browser industries typically react pretty quickly to these things, nowadays. I haven’t seen any major epidemics that I can remember.

In other words, it’s not that the browsers or plugins are safe per se, but that there are a lot of companies and organizations watching out for you and making browser and software vendors patch their shit. There’s always a tiny chance that you could be the victim of the next zero-day before patches are issued, but watcha gonna do?

15

Are there any safe websites to go see if a computer is vulnerable?