Automatic Software Updates are much more important than Virus Scanners

antivirus vendors have lost the race

Don't trust that your virus scanner will catch the malware that you get. It probably won't. That time is over.

New trojans spread by email to millions of people within minutes. Reaction time of antivirus vendors varies between several hours and many days. Most malware that comes in emails is detected by none or only very few ot the antivirus products on VirusTotal. In one case I observed recently, one week after they all were informed, only half of their products detected the trojan. And that trojan was just another variant of one that had already been known before.

You are already under attack

In the last months I have received more malware than in the ten years before combined. Most came as email attachement, some were hidden in web pages.

While you could in theory stop clicking on email attachements, you cannot stop browsing the web. Forget the theory that trojans are only on dubious web pages. Right now the web page of one of my colleagues spreads a trojan to everybody who happens to surf to that page. He didn't know that his web page was doing this, before another collegue found it and told me. Somebody used a sql-injection on his server to insert that insivibly into his web page. Google says that more than 45.000 web pages contain that same trojan download code. Planting trojans on foreign web pages is a process that is today usually fully automated. You cannot escape these attacks, they are on completely innocent web pages.

most trojans get in through fixed bugs

Authors of malware behave like everybody else: lazy. When they have the choice between several attacks, they use the simplest one. That used to be windows, but Microsoft has reacted (albeit very late) and meanwhile they managed to change this.

Thus criminals now either send you emails with executables, or they let you open a file (either email attachement, or embedded in a web page), that uses bugs in software on your computer to get its evil job done. Such software is in most cases a browser plugin that gets automatically triggered when you surf to a web page that contains data for that plugin. Currently most criminals concentrate on bugs in Java, Flash, and Adobe Reader. Other candidates (currently less often attacked, but also potentially on their radar), are QuickTime and of course web browsers themself, for example Firefox.

In most cases the criminals rely on old bugs, bugs that have been found and fixed by updates some weeks or even many months ago. Building such malware is easier and a lot less expensive. Such malware still works in most cases, because most users don't install updates, at least not very often.

This means that you can protect yourself from most malware by installing all important security updates within a few days of their availability.

However actually doing this can be a real pain. Especially if you are not only responsible for one own personal computer, but for many others as well, this can easily be thousands in a corporate environment.