Don't let the latest zero-day fool you

The Internet Explorer exploit patched by Microsoft last week was serious stuff, but, if you're prioritizing holes to plug, browser vulnerabilities shouldn't be first on the list

On April 26, Microsoft announced a new critical zero-day flaw in Internet Explorer. Internet Explorer is still, surprisingly to some, the world's most popular Internet browser, especially in the corporate world. The world panicked. 

Tapping a vulnerability in the VGX.DLL module, the exploit allowed remote attackers to execute code in the context of the logged-on user or cause a local denial-of-service attack in Internet Explorer versions 6 through 11. It was detected in the wild and was causing grievous harm.

[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available as a PDF or an e-book. | Stay up-to-date on the latest security developments with InfoWorld's Security Central newsletter. ]

For all those reasons, millions of people decided it was time to jettison Internet Explorer for a little while, if not permanently. I was contacted by many readers and friends who had cautioned their end users to get rid of Internet Explorer and go to a more "secure" browser, such as Safari, Firefox, or Chrome, at least until Microsoft's patch came out, which arrived four days later.

Was that panicky reaction justified? Not really. Exploited browser code accounts for less than 1 percent of successful Web exploits, according to nearly every major Web-exploitation survey taken during the last few years. Attackers long ago eschewed exploiting browser code -- or even operating-system code, for that matter -- in favor of such popular browser add-ins as Java, Adobe Flash, and Adobe Acrobat.

In fact, Cisco reported a few weeks ago that Java was responsible for 91 percent of all successful Web exploits. Exploits against browsers don't even show up as a slice on Cisco's pie chart. Most environments are running not only Java but also a high percentage of unpatched Java -- the very program most likely to result in compromise. Sure, some people were impacted by the IE flaw, but, on any given day, many more are the victims of Java exploits, phishing, or social engineering.

Have you updated your end-user education to help users avoid downloading Trojans? Do you remember to tell end users they're more likely to get infected by a website they use and trust? Or are you still offering the same old boilerplate telling users to "avoid untrusted websites"? Do you show end users what their own antivirus programs look like so they won't be duped by a fake alert and download counterfeit antivirus adware?

Of course, I'm assuming you've created a task force to determine how to patch Java better and have already put those best practices in place. Right?

Well, if not, one solution that can help fix both problems: Microsoft's free EMET (Enhanced Mitigation Experience Toolkit). It's been around for several years, and it's better than ever. It can be configured and managed using group policy and will significantly decrease risk in many zero-days. It will even provide additional protections for Java and other programs that incur risk.

EMET works by enabling memory protections that make buffer overflows and other memory-corruption problems harder to pull off. I've been running it for the last few months, and it alerts me to potentially dangerous memory bugs all the time -- to the point that I recommend most users simply turn off the alerts. EMET's not perfect. It doesn't stop everything. But it does provide additional defense in depth.

Back to my overall point: It's up to you to discover which threats are most likely to be successful in your environment based on your own experiences. A browser exploit could be in the mix -- especially if you work at one of the unfortunate companies that found the latest IE zero-day -- but in most cases you'll find that your concentration, effort, and resources are better focused on patching software and educating users.

This story, "Don't let the latest zero-day fool you," was originally published at Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at For the latest business technology news, follow on Twitter.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!