The big news in the malware world this week was the spread of a new zero day exploit for Internet Explorer. Microsoft responded fairly quickly, releasing an emergency patch yesterday, but meanwhile, the bad guys were working quickly to hack websites so they could deliver password-stealing malware onto users’ vulnerable machines via drive-by download.

To me, this highlights a trend that the security community has been seeing more lately: very rapid distribution of exploits for applications that haven’t been patched or that have just recently been patched. This is all enabled through the ability of malicious actors to quickly deploy the exploit code through the use of botnets, spam, and vulnerable websites.

In turn, this trend points out the insufficiency of "being careful" as a defense against malware. Keeping your PC up to date and avoiding suspicious websites are important safety steps, but neither will protect a user from a legitimate website hosting a zero day drive-by exploit.

Security experts always talk about layers of security, and this is a great example of the importance of that. When you combine the defenses above with "just in time" warning messages about known badware websites, proactive AV scanning, and improved security architecture in the desktop OS and applications, a user has a reasonable chance of being protected from even new, fast-moving threats. Perhaps there’s still more that can be done. Public user warning systems, distributed intelligence gathering, and other new approaches to helping users avoid malware are on the horizon, and StopBadware looks forward to working with its partners and the rest of the community in our collective effort to fight back.

It’s been a busy week for declarations about how bad a problem malware and cyber security are. "Thieves Winning Online War, Maybe Even in Your Computer" declared the New York Times. "U.S. Is Losing Global Cyberwar, Commission Says," announced BusinessWeek, referring to a Center for Strategic and International Studies report that, among other things, concluded that "cybersecurity is now a major national security problem for the United States." And security firm F-Secure labeled 2008, "Another record breaking year in the growth of malicious software."

Unfortunately, there is some justification for the negativity. There is plenty of evidence that malware has become more technically sophisticated, that the criminal underground has become more developed, and that botnets can be effectively harnessed for targeted attacks against critical resources. We must, as a society, take these threats seriously and work collaboratively to address them.

That said, there is also reason for optimism. All three major U.S.-based search engines (Google, Yahoo!, Microsoft Live) now provide proactive warnings to users about known malware (and, in some cases, phishing) sites. So does the second most popular web browser (Firefox), and Internet Explorer is integrating such a feature in its next release. In the U.S. and Europe, public outreach campaigns have started to make users aware of the dangers of phishing, even as the messaging industry has worked together to reduce the amount of spam that reaches users’ inboxes. Law enforcement has recently busted some large Internet fraud rings, even as independent security researchers have brought down hosting providers and registrars alleged to have been complicit in harboring dangerous websites.

Even with these successes, we have a long way to go. This will require cooperation and communication, at unprecedented levels, amongst businesses, governments, security researchers, and the general public. It will also require StopBadware.org and others to continue innovating in how we harness the power of the Internet to help preserve what’s great about the Internet.

Ryan Naraine at the ZDNet Zero Day blog reports on a study by Secunia indicating that most (98%) of Windows-based PCs have at least one insecure (i.e., unpatched) application. As explained on the Secunia blog:

By "insecure program" it is understood, that there is a newer version of the program available from the vendor that corrects one or more vulnerabilities, but the user have yet to install the secure version. A vulnerability in a program can be exploited by hackers to anything from compromising a PC, to automatically install trojans/viruses, to sniff out private information (passwords, credit cards information, etc.).

I don’t know that Secunia is right to extrapolate from their sample of 20,000 new users of the company’s Personal Software Inspector (PSI) software to the entire population of the Internet. They argue that their customers are likely to be more security-conscious than average, but it seems likely that they’re also people who have reason to think they have vulnerable applications on their computers. Still, it’s a concerning number, and it emphasizes the need for software vendors to make security updates easy and safe for users. This includes separating the update process for important bug and security fixes, which nearly all users should be installing, from product upgrades and cross-promoted applications.

I also want to challenge Secunia’s assertion that "your anti-virus will not protect you from the security threats of vulnerabilities." While it is certainly true that AV software (or any other software, for that matter) won’t protect you from all threats, one of the reasons for using AV software is to provide an additional layer of defense against attacks that exploit unknown or unpatched vulnerabilities.