Odd thing when I Google Walmart

[dishdude]

Says,
You are using an out of date browser. It may not display this or other websites correctly.
So its not Edge

View attachment 110307

What is that? IE 6? Did you dial up on AOL?

 

[atikovi]

Internet Explorer

 

[Pew]

My clueless self would imply that anti-virus and maleware systems would be more important than fixing vulnerabilities or small issues like bugs, but what do I know.

Patches and vulnerability fixes are more like.....Mitsu upgrading a weak plastic clutch master cylinder to a metal one. AV programs are like putting a brace around the clutch master cylinder in hopes the CMC doesn't shatter.

Anyways, I'll echo the previous folks and say you should update your system. It never happens to you, until it happens to you. Then it turns into a rude wakeup call.

 

[OVERKILL]

My clueless self would imply that anti-virus and maleware systems would be more important than fixing vulnerabilities or small issues like bugs, but what do I know.

No.

Antivirus/antimalware programs, for the most part, protect the computer from you. For example, ESET products scan all your web traffic and will block you from going to sites with malicious code. They will also block the execution of malicious code you've downloaded and can detect unwanted applications that might use your info to target you with ads or track what you do. They plug-in to e-mail clients and block malicious code in e-mail and attachments.

All of this is within the context of a system that's at the "best it can be" in terms of integrity. This software works within the confines of the OS and its parameters, and protects against known (and unknown, using heuristics) code, but it absolutely isn't perfect. 0-Day stuff is the highest risk; stuff that there hasn't been a rule setup for because it just showed up in the wild.

Vulnerabilities and bugs are a different subject (or should I say, subjects). Bugs are, as the name would suggest, errors made in coding. These can result in unwanted behaviours, such as memory leaks or crashes.

However, even if the code is "perfect" (does everything as intended, doesn't crash), that doesn't mean it's free from vulnerabilities. Being able to execute malicious code in a memory space it shouldn't have access to, for example, is a vulnerability. Being able to backdoor a piece of software and gain access you shouldn't be able to, is a vulnerability. User account control for example, if you are able to bypass it and execute code, that would be a vulnerability. Flash and Java both have had countless exploits written in response to vulnerabilities, which could compromise the host system and allow access by malicious actors, which is often completely invisible to the user.

So, when Microsoft stopped patching for bugs and vulnerabilities in 7, that's a problem because that means that any new vulnerabilities that are found in the code of that OS and its components, will not have patches developed to address. These can be exploited outside the scope of security software like your antivirus or antimalware solutions.

Many commercial-level firewalls leverage IDS (Intrusion Detection System) which can identify and block network-level exploits. These detection algorithms are of course also not perfect and often result in false positives. For example, I have a customer with an off-side iSCSI backup, when this runs, it recently started producing an IDS warning for "EXPLOIT-KIT Magnitude exploit kit embedded redirection attempt", the details of which can be found here:

Snort - Rule Docs

Snort - Individual SID documentation for Snort rules

snort.org

summary:

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.

I've only been hacked or scammed like, never, after over 25 years online. Wonder why that is, when big companies with all their IT staff get breached all the time. Like that Colonial Pipeline thing last year. Wonder how clueless THEIR IT personnel was with all their certifications and all.

Completely invalid comparison, a large company is a very high value target, Joe Home Owner isn't. That doesn't mean that home users don't get scammed (they do, all the time) but they aren't the focus of targeted attacks using more advanced methods. Joe is more likely to get his credentials phished or his e-mail hijacked, while Mr. Business is more likely to be targeted with a sophisticated attack leveraging ransomware for monetary gain.

Now, big business IT departments do make mistakes; they certainly aren't perfect and are often a bit of a bureaucracy in and of themselves. Patching and upgrades are often, necessarily, significantly lagged for testing purposes; impact assessments, as patches can, and often do, break other things. For example, an update several months back to Microsoft's Hyper-V virtualization software prevented it from booting some virtual machines. That was a massive problem!

Many of these organizations have also been slow in adopting multi-factor authentication, which has led to e-mail accounts being hijacked. Users clicking on things they shouldn't have has resulted in compromised workstations and, coupled with improperly locked-down SMB shares and lack of backups, ripe targets for ransomware. And this is despite these places typically having robust firewall and antivirus solutions in place.

While hospitals and other large organizations do have an excuse for deferring patches until they can test their impact, Joe Homeowner doesn't. The free upgrade to Windows 10 also made this pretty inexcusable, as Microsoft was (generously) trying to coax people onto an actively supported platform.