You just got home from school. Excitedly you fire up firefox and plug in the website’s address. There are a couple of obnoxious advertisements, but it’s more than worth it for all the free web games you heard about a couple of hours ago. You click past a dozen offers to refinance your house and close a plethora of questionable dating advertisements to eventually get to your pinball game. Hours later, your computer starts running slow and you start to realize your computer has caught something nasty. Could simply viewing a webpage compromise your computer? Hint: the answer is yes but there are plenty of things you can do to protect yourself.
Webpages are constantly fighting to become more eye catching and more interactive. Plugins like Adobe Flash or Java Applets allow web developers to deliver lots of extra functionality that makes things like moving menus, web-games, and even intrusive advertising work. Things like the Youtube player* or games like Bloons Tower Defense rely on plugins to function so there is no reason to be afraid of them. You should be aware however, that these plugins also offer a convenient way into your computer for malicious actors as well. In 2014 alone, Adobe published literally hundreds of vulnerabilities for Flash Player – that’s literally hundreds of ways for the bad guys to mess with a 1-year old installation of Flash and many of them could lead to a total system takeover. Like your picture collection and homework? it could be held ransom. Like your identity? view the wrong web page while running an out of date plugin and it could be gone.
The web page does not even have to be built with malicious intent. Something nasty hidden in an advertisement could kick your ass as hard as any other malicious plugin. Reputable sites like Microsoft, Yahoo, and Youtube have all unwillingly hosted malicious ads (malvertising). If you’re hoping to get away from dangers of the web by staying on reputable sites, you’re at less risk but you’re far from safe.
The most important thing you can do to protect yourself is keep your software up to date. That annoying “update available” popup is meant to be annoying. The only reason nasty code can jump from the web page without your permission is due to bugs in the software. Staying up to date will keep you safe from most malicious stuff in web pages but there is always a chance that you could run into something before the patch is released. In that case, no amount of updates will help you.
Thankfully, you can take some simple steps to protect yourself. Staying away from sketchy sites and keeping your browser up to date is a good start – lowering your exposure will lower your chance of infection but there is more you can do. Browser plugins like Safe Script or NoScript prevent all scripts from running without express permission. All you have to do is specify which domains (like “Youtube.com”) that you want to work while domains hosting the bad stuff are blocked by default. You can visit that sketchy site without fear of infection. You will have to avoid allowing suspicious domains but otherwise you’re significantly more safe.
Overall, it is important to know you are constantly under attack whenever you are online, that said just realizing this is already a step in the right direction. Keep yourself up to date and use script blocking software and you have nothing to fear.