In The Curious Case of the Invulnerable Browser, Roger Grimes of Infoworld writes about the recent CanSecWest 2009 PWN2OWN contest where hackers pitted their skills against web browsers to see how quickly they could break into a computer. The prize was the computer itself. Roger says that the state of browser security is actually pretty good, but even if browsers were inpenetrable, the major source of computer breakins is users browsing to a web site that then infects their computer.
That’s my experience too. So it’s actually “user stupidity” that gets users’ computers hacked. They click on a link in an email advertising a sexy video and they end up on a site that poisons their computer instead. Or they open a tempting file that has been sent to them by email. Social engineering is the technique used to get into most computers.
Don’t click that link! Don’t open that file!