The idea is to reduce the list to the smallest possible size, without losing any individual source of malware.
I've tried to avoid situations where your PC is running an old operating system or an old browser. To make a rule, let's assume you have Windows 7 or later and an up-to-date browser, which can be of any flavour.
This list doesn't cover privacy issues.
Your PC can get malware on it if ...
1. you connect your PC directly to the internet (no NAT router)
2. your NAT router allows remote administration or UPnP is turned on or the router simply has a software or hardware vulnerability
4. you click on a malicious Ad
5. you open a malicious email and allow the active content to run
6. you open a file that was sent to you in an email using application X, which has a vulnerability
7. You download a malicious file and open it in application X, which has a vulnerability
8. You download a driver or an application that you need but it's malicious or it contains additional malware/PUP
9. You an have insecure update engine running on your PC and it only uses http
Can anyone add no. 10 ?
I would admit that 6 and 7 are similar but the actions required by the user are different. So, yes, maybe those two should be merged. They aren't really different vectors.
No. 9 was traditionally more likely to occur in an insecure WiFi location i.e. the evilgrade attack. But these days all of the internet is totally open and insecure (depending upon what you personally have access to), so the scope to use vector 9 has increased.
Edit: to restore paragraph marks
Edited by palerider2, 01 August 2014 - 03:12 AM.