Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Google, IE, China and Zero Day Attacks: Three Lessons

by Neil MacDonald  |  January 18, 2010  |  6 Comments

We’ve got a team of analysts working on a broader event research note that will be published shortly. What I wanted to discuss here is “so what do I do if my organization is using IE?”. Longer term, there are three key takeaways from the recent events:

Lesson #1 – Run more users as standard user. I’ve said it here and here and most recently here again. This has got to be a top priority initiative in 2010. Use the migration to Windows 7 as a catalyst if this is planned for this year.

Lesson #2 – Get off of IE6 ASAP. I don’t care if this is to Firefox, Chrome, Safari, Opera, IE7 or IE8. Get off of IE6 in 2010. Use the migration to Windows 7 as a catalyst if needed for budget and resources if this planned in 2010.

Lesson #3 – Use defense-in-depth at the endpoint. If you are planning on Windows 7, make sure some of the defense-in-depth capabilities if the OS are turned on in your master image. Technologies and techniques like Address Stack Layout Randomization (ASLR) and extending data execution prevention (DEP) into the browser are discussed in detail in this research note. Note that DEP applies to XP SP2, SP3 if used with IE8 as well. Other clients using third-party host-based intrusion prevention solutions like Cisco Security Agent or McAfee HIPS have additional protection

What to do short term? Back to the compromise at Google. Reports indicate that Microsoft has confirmed an IE vulnerability was involved in the Google attacks. Microsoft’s Security Advisory provides more information about the vulnerability here.

What can you do now if you are worried about IE6 until the patch is released by Microsoft? In addition to Microsoft’s guidance in the advisory, there are several alternatives we discuss with clients, but one option is to run IE6 from a terminal services or hosted virtual desktop (VDI) session where the session is restored back to a known good state after each use.

6 Comments »

Category: Application Security Endpoint Protection Platform Microsoft Security     Tags: , , , , , , ,

6 responses so far ↓

  • 1 Laura Maio   January 18, 2010 at 1:07 pm

    Hi Neil,
    Great post, and I’ll watch for the broader research note. In your Lesson # 3 you mention CSA and McAfee, don’t forget Trend Micro Deep Security. This advanced HIPS also adds integrity monitoring and log inpection to increase the protection for servers and critical desktops.
    All the best!
    Laura

  • 2 Neil MacDonald   January 18, 2010 at 1:45 pm

    Laura – yes, this was not intended be an exhaustive list. There are a large number of network- and host-based IPS vendors that we cover at Gartner (in addition to what the EPP vendors are doing as a part of their converged offerings). Trend acquired Third Brigade and has an offering here.

  • 3 uberVU - social comments   January 20, 2010 at 1:21 pm

    Social comments and analytics for this post…

    This post was mentioned on Twitter by postsgoogle: Google, IE, China and Zero Day Attacks: Three Lessons: We’ve got a team of analysts working on a broader event res… http://bit.ly/8Jp8Wl

  • 4 Do as I Say … « Vintage1951   February 11, 2010 at 1:35 pm

    [...]  So, is the Cabinet Office right to claim that the MoD is safe to carrying on using IE6?  At least they’re right to draw a distinction between the level of protection achieved through “defence in depth” and what’s available to the average home user.  David Lacey, in his recent book “Managing the Human Factor in Information Security”,  points out that  baseline security measures, a collection of standard  proven security controls, is the fastest most reliable (and often cheapest) means for improving security.  He compares it with the “trajectory of accident opportunity” described by James Reason in his book “Human Error”.  His premise is that multiple, simultaneous failures or compromises would be needed to Allow an attack to be pressed home.  Gartner’s Neil MacDonald says that there are 3 lessons to be drawn from the attack on Google: [...]

  • 5 Another Zero-Day Attack on Internet Explorer: Time to Switch Browsers?   March 10, 2010 at 10:42 am

    [...] – we’ve been advising Gartner clients to do this since 2006 and I provided this advice and more here and here after the IE/Google/China attacks. You don’t have to wait on a Windows 7 upgrade to do [...]

  • 6 Free Stuff to Help run as Standard User   April 1, 2010 at 11:26 am

    [...] exposure to malware by running more users as standard user. I’ve talked about this issue here, here and [...]