Enterprises using outdated versions of Internet Explorer just might have been given extra motivation to upgrade after a new zero-day attack targeting IE6 and IE7 users was discovered on Wednesday. But, according to one security researcher, drive-by download attacks will continue to be a business threat as long as enterprises overlook Web security training.
The attacks, which were first discovered by Symantec Corp. before being reported to Microsoft Corp., targeted select individuals at a variety of organizations. The bogus messages pointed IE users to a link containing malware, which if clicked, would be automatically be downloaded to a user’s computer.
Symantec said the memory allocation vulnerability allowed “any remote program to be executed without the end user’s notice.” In many cases, the malware-infested links led to otherwise legitimate Web sites that had been hijacked by the attackers.
Microsoft confirmed it was working on an automated “fix-it” repair until a permanent patch could be issued to users.
Dean Turner, director of Global Intelligence Network at Symantec’s security response division, said that while zero-day attacks are a fact of life for many organizations, the news should motivate some users to start thinking about an upgrade from older IE versions.
“We do have to understand though, that’s not such an easy thing to do, especially in a large environment,” he said.
In addition to keeping updated on your company’s browser, Turner said the key for enterprises is a mix of enterprise security tools and employee education.
For James Quin, a lead research analyst with London, Ont.-based Info-Tech Research Group Ltd., it’s pretty much all about training and education. But, he said, enterprises can very easily make critical mistakes during the training process.
“In general, there a large malaise around Web security threats,” he said. A lot of enterprises focus on more traditional attacks such as malware through e-mail, USB, or insider data theft, Quin added.
“I don’t control the Web, so it’s not my problem,” is the typical stance from an enterprise IT organization, he said.
Quin said that enterprises find it easy to buy a firewall or anti-malware program, but extremely difficult to put security policies in place. The issue, he said, is enterprises are pushing security at the macro level.
“I’m not a proponent of the ‘once a year’ training technique where you drag everybody from their desks and sit them in a room for three days,” he said.
Quin said enterprises need to dedicate a few minutes a week to small and very specific security topics. This way, staff can easily digest the material and might actually retain it.
As for the IE vulnerability itself, Quin said that while Microsoft might be to blame for the entrance point, the IT community needs to do a better job of ensuring legitimate sites aren’t hacked.
“The majority of these attacks are through hacked Web sites,” he said. “Why are these Web sites being corrupted?”
