Gartner Blog Network


What the Most Recent Zero Day in IE Should Teach Us

by Neil MacDonald  |  September 22, 2012  |  Comments Off on What the Most Recent Zero Day in IE Should Teach Us

 

I saw yesterday that Microsoft had released the out of band patch for Internet Explorer as they had committed to do. Certainly, Microsoft’s motivation to quickly release the patch out of band was affected by calls from various enterprises and governments to ban the use of IE until the issue was resolved.

What can we learn from this incident? This is not the first time this has happened on Internet Explorer and it will not be the last.

Google Chrome has had them. So has Firefox.

When will we learn? The answer isn’t to switch browsers, the answer is to standardize on more than one browser.

After a similar zero day incident with IE in 2009, I worked with my colleagues David Smith and Ray Valdes to put together a research note for clients in early 2010 titled “Organizations Should Still Say No to Standardizing on One Browser”.  The research note provides multiple justifications for enterprises to standardize on two or more browsers. In the research, we specifically called the scenario of a zero day out:

Offsetting the reduced patching of a single version, the recommended approach of not standardizing on one browser would have provided immediate alternatives for those who were looking to take action during any of the recent zero-day security issues with IE  By avoiding dependency on a single supplier, an enterprise provides itself more agility in the event that the supplier exits the market or fails to adequately protect and secure its product. If an enterprise officially supported or enabled multiple browsers, it could simply instruct users to use the other browser in case of such an event (and temporarily block the use of the vulnerable browser). Instead, what results is often panic, scrambling and overreactions, such as some calling to ban IE entirely (which is impossible, because it is part of the Windows OS). Because all browsers contain yet-to-be-discovered vulnerabilities, such an overreaction doesn’t solve anything, and simply moves the issue to another browser and another vendor.

That pretty much describes what we saw recently (again) with IE.

Don’t let this happen again. Standardize on two or more browsers for users.

Category: microsoft  microsoft-security  windows-7  windows-8  

Tags: browser-security  defense-in-depth  microsoft  microsoft-security  windows  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio




Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.