When being careful isn't enough

The big news in the malware world this week was the spread of a new zero day exploit for Internet Explorer. Microsoft responded fairly quickly, releasing an emergency patch yesterday, but meanwhile, the bad guys were working quickly to hack websites so they could deliver password-stealing malware onto users’ vulnerable machines via drive-by download.

To me, this highlights a trend that the security community has been seeing more lately: very rapid distribution of exploits for applications that haven’t been patched or that have just recently been patched. This is all enabled through the ability of malicious actors to quickly deploy the exploit code through the use of botnets, spam, and vulnerable websites.

In turn, this trend points out the insufficiency of "being careful" as a defense against malware. Keeping your PC up to date and avoiding suspicious websites are important safety steps, but neither will protect a user from a legitimate website hosting a zero day drive-by exploit.

Security experts always talk about layers of security, and this is a great example of the importance of that. When you combine the defenses above with "just in time" warning messages about known badware websites, proactive AV scanning, and improved security architecture in the desktop OS and applications, a user has a reasonable chance of being protected from even new, fast-moving threats. Perhaps there’s still more that can be done. Public user warning systems, distributed intelligence gathering, and other new approaches to helping users avoid malware are on the horizon, and StopBadware looks forward to working with its partners and the rest of the community in our collective effort to fight back.