When you open a web page with a browser or a document with a word processing program, you depend on the security of the browser or word processing program to ensure that a malicious web page or document is not able to run amok on your system. This is true of all computer programs which access the internet, open data files downloaded from the internet or open imported data files from CD/flash drives- browsers, media players, spreadsheet and presentation programs.

From time to time security weaknesses are discovered in computer programs which allow a malicious web page, audio/video file or document to bypass the confines of the browser, media player or word processing program through a security hole and run code on the wider system- typically to install a Trojan horse or 'backdoor' to gain control of that computer and all the information on it.

When these security 'holes' are found, the software developer makes available a 'patch' to repair the security weakness and fix security vulnerabilities. And from time to time, they release program updates, including patches and improvements to the security of the software.

A security 'hole' in a computer program is called a vulnerability. To take advantage of that vulnerability, malware writers must come up with an exploit- a piece of code which allows the malware writer to insert malicious code into a web page or document so that the malicious code will run on a computer which contains the vulnerable software should the user visit a web page or open a document or file which contains the exploit. Sometimes it is easy for malware writers to come up with a working exploit for a vulnerability, but not always: sometimes it proves difficult to exploit a vulnerability in practice.

Vulnerabilities themselves are not dangerous until malware writers come up with an exploit. If a software developer patches a security vulnerability before the malware community knows about it, then the software user has not been exposed to risk. On the other hand, if malware writers discover a vulnerability and come up with an exploit before the software developers are aware of the vulnerability or able to issue a patch, then the software user may be exposed to risk- the so-called zero-day exploit. The longer the vulnerability remains unpatched with an exploit in the wild (being used for malicious purposes), the longer the user is exposed to risk.

Zero day Wikipedia

Even when a software developer patches a security vulnerability before the malware community knows about it or can come up with an exploit, once an update or patch is published, it identifies a weakness to hackers, which they then try to exploit. Anyone slow in installing an update will then be at risk when an exploit does emerge. This also applies to zero-day exploits too, of course. Typically malicious sites on the internet remain awash with exploits for security vulnerabilities which were patched by the software developer many weeks, months or even years before. A example is the ByteVerify exploit for the Microsoft Java Virtual Machine, which I know from experience infected an unpatched computer in a major UK computing company two years after a patch was issued. To their embarrassment, Microsoft themselves were caught out like this not so long ago, when malware infected several of their servers because a security patch issued months earlier had not been applied. Exploits in word processing programs, for example, may be shorter-lived, with targeted e-mail attacks using an active exploit lasting for only a few weeks.

The future of malware: Trojan horses c|net
Microsoft Issues Word Zero-Day Attack Alert eWeek

Patching does not make an application insecure- NOT patching does: that means not issuing a patch for a known security vulnerability in the case of a software company, or not applying a patch in the case of a software user. No piece of software can be 100% secure, but the degree of security depends partly on the time taken to patch security vulnerabilities, as well as the severity of vulnerabilities of course- some being a lot easier to exploit than others.

IE More Secure Than Firefox? eWeek

A list of active and patched zero-day vulnerabilities, i.e., vulnerabilities which were made public before any patch was available. In some cases the vulnerabilities may be, or may have been exploited in attacks. (The term zero-day exploit is used if an exploit is available for a vulnerability when it becomes public. Generally if a vulnerability is found by a malware writer, the first anybody knows about it is when malware exploiting that vulnerability emerges- a zero-day exploit. Sometimes a vulnerability is made public by a security researcher to publicise a security weakness in a product.)

Zero-Day Tracker eEye

A list of the most critical internet security vulnerabilities from the past year. Users of the affected products will be vulnerable to attack if they have not updated their software to apply patches for these vulnerabilities.

SANS Top-20 Internet Security Attack Targets (2006 Annual Update) SANS Institute

Microsoft security vulnerabilities

Microsoft products such as Windows operating systems and Office products have occasionally (!) been found to contain weaknesses in security which could allow attack by people or programs with malicious intent. As revealed in the the SANS report above, the top attack targets were Internet Explorer, Windows libraries ('modules that contain functions and data that can be used by other modules such as Windows applications') and Office products. This is confirmed by the eEye statistics.

Internet Explorer's dependence on other components of Microsoft windows (Windows libraries) has also exposed its users to attack. Here are some examples of zero-day vulnerabilities in Internet Explorer, or where Internet Explorer was the vector for an attack using a vulnerability in a Windows library:

daxctle.ocx, VML, setSlice, CreateTextRange, DXImageTransform, WMF.

Microsoft Word is currently the target of regular "viral wednesday" attacks, where exploits seem to emerge just after Microsoft releases patches for vulnerabilities on the second Tuesday of each month.

Patch Tuesday - and other days of the week The Register
Is MS Office becoming a zero-day liability all year long? ZDNet

Internet Explorer is claimed to have far better security than IE6, which as the links above prove, had a less than untarnished record. Even IE7 will not provide 100% security in the case of ActiveX vulnerabilities unless run under Vista. Alternative browsers like Firefox and Opera have a much better record in patching vulnerabilities before exploits emerge, are not vulnerable to ActiveX vulnerabilities. Although IE7 may prove as secure, users of Windows XP pre-SP2 or earlier should definitely NOT use Internet Explorer: it will not be as secure, and in the case of no-longer supported versions (Win2000 and previous) will contain dangerous vulnerabilities.

XP (SP2) greatly improves security. It'll take about six hours to download on a dial-up connection, or you can sign up at the Microsoft web site for a free CD.

Windows XP Service Pack 2 PC Magazine

Security updates from Microsoft are released on every second Tuesday of the month. They regularly contain critical security updates. If you have broadband, turn on automatic updates. With dial-up it's better to check for updates yourself at least every month.

You can download updates by using the update center in XP.

Start Menu > Help and Support > Windows Update

  

Or you can visit the Microsoft update page

You can sign up for email notification of security updates.

For more information, visit the Microsoft security page