no he doesn't
Case in point - the 0 day Duqu. No malware/AV product can detect it.
They do now, in point of fact. It's a very advanced attack, though... some researchers find evidence that it may have been in development for years. The stakes must be pretty high, whatever they're after. I noted from Symantec's write-up that in the entire process, only one unencrypted file ever gets written to disk, and I believe it's the driver file.
With a VALID digital signature from a legit hardware vendor.
Now granted also - MS hasn't fixed it yet from what I've heard......So wait a bit before you bring up this example.
They have a
Fix-It that prevents access to the vulnerable component. Not a patch proper, but it gets the job done. The noted downside is inability to export to PDF from Microsoft Office. You can deploy this via Group Policy if you're so inclined, or whatever method works best for you.
Going back to the original topic, yeah, that guy needs to get up to speed. Run Microsoft Baseline Security Analyzer on his system and let its SEVERE RISK assessment stare him in the face for a while. I realize everyone likes to cling to old stereotypes about Microsoft, but dude is being foolish.
One thing that has always bothered me is it seems like a never ending update cycle with Microsoft. In other words, is the OS ever going to be considered safe and not need 15 updates per month to patch the vulnerabilities that were discovered or reported? It would seem to me at some point they'd have it shored up so solid that it would be bullet proof, but maybe that's in an ideal world.
This is why Microsoft's SDL is focused not just at reducing the number of bugs, but their severity,
and overall mitigating features that provide
de facto damage containment and make reliable exploits much more difficult to achieve. It didn't win them any popularity contests, look at all the griping about Vista and UAC and not being an unrestricted Admin anymore, but they did it anyway.
It just seems for every patch they release two more problems are found and it's essentially a losing battle as the malcontents are firing off malware shots faster than Microsoft engineers can patch their OS.
If you look at infection rates on various Windows OSes in the
SIR v11, it looks rather the other way around. And keep in mind Windows is the OS that gets handed over to children to pilot willy-nilly all over the internets looking for bewbies:
Looking at the methods of attack:
...the predominant vector is the user, of course, and user education (or a
removal of their Admin/execution privileges) is a must.
Aside from user interaction, I see two attack vectors that can be eliminated arbitrarily simply by disabling AutoRun, which Microsoft has
a Fix-It for (or of course you can do that via Group Policy). Of the remaining ones, routine updating of the installed apps (Java, Flash Player, Reader, media players, etc) combined with normal updating of Windows and other Microsoft stuff eliminate nearly every other option on the chart.
In real life, if a user stumbles into an exploit pack from poisoned search results or a hacked website, the bad guys aren't even going after Microsoft vulns anymore, other than the ancient MDAC vuln. They're after vulnerable versions of Java (remove it, or patch if you have to keep it), vulnerable and unsandboxed versions of Reader (switch to v10 for sandboxing), and a variety of other stuff that you can almost certainly remove or patch. So the third-party stuff needs to get maintained.