What are the most common infection vectors for personal computers?
The Verizon Data Breaches report is useful here ( http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf)
I can't view it right now but I seem to recall that the top routes in were social engineering, flash, document macros and pdf functionality.
Very few these days are in the OS.
I'm going to reproduce my answer to this question from my website, DecentSecurity.com
You get tricked
"But I'm too smart to get tricked." - You
Being tricked isn't strictly related to intelligence. Most infections are by people downloading and running the virus themselves. I've seen very smart, experienced people fall for all kinds of schemes. For example:
- In email attachments that say they're invoices, parking tickets, or legal judgements
- A website will say you need to update software in order to use it
- Part of other programs you download and run from unreputable sites
- You're told you have an infection and you need to do something to fix it
- Trying to use stolen software. This is a huge way people get infected because criminals know that it's a super easy way to get people to run untrustworthy software
- Some viruses, when they infect computers, will email themselves to everyone on someone's address list. You can't trust even files you get from friends unless you were expecting them and the email makes sense. Feel free to reply back and ask
The first rule is that you don't download files or run software that isn't something that you were specifically looking for.
The software you do get must be from a link on the original company's website, that you searched for and verified as real.
When you do install software, make sure you read every option it gives you.
Your antivirus saying something isn't a virus doesn't mean anything.
You get kit'd
There are specially designed web pages that test your computer for lots of outdated software, and if it finds some, it uses known programming errors in those programs to infect your computer - usually in seconds and without you doing anything. These are called exploit kits and they are big business.
Criminals hack other sites or use malicious advertisements to redirect your browser to them. This happens even on big sites, where it's called malvertising. You don't have to go looking, these infections come to you.
They also send these links in emails and messages on social networking sites.
Usually you are protected if you keep your software up to date.
You get 0day'd
Hackers will sometimes discover a programming flaw and, rather than report it to the developer of the program, use it against people. This kind of flaw is called a "zero-day" because users of the affected program had zero days to deploy a fix before they got infected.
These are rare, but it's one way criminals can get in. This is why you don't open email attachments or office documents you didn't specifically ask for. Do not click links in text messages or messaging programs.