On April 26, Microsoft announced a new critical zero-day flaw in Internet Explorer. Internet Explorer is still, surprisingly to some, the world's most popular Internet browser, especially in the corporate world. The world panicked.
Tapping a vulnerability in the VGX.DLL module, the exploit allowed remote attackers to execute code in the context of the logged-on user or cause a local denial-of-service attack in Internet Explorer versions 6 through 11. It was detected in the wild and was causing grievous harm.
[ It's time to rethink security. Two former CIOs show you how to rethink your security strategy for today's world. Bonus: Available as a PDF or an e-book. | Stay up-to-date on the latest security developments with InfoWorld's Security Central newsletter. ]
For all those reasons, millions of people decided it was time to jettison Internet Explorer for a little while, if not permanently. I was contacted by many readers and friends who had cautioned their end users to get rid of Internet Explorer and go to a more "secure" browser, such as Safari, Firefox, or Chrome, at least until Microsoft's patch came out, which arrived four days later.
Was that panicky reaction justified? Not really. Exploited browser code accounts for less than 1 percent of successful Web exploits, according to nearly every major Web-exploitation survey taken during the last few years. Attackers long ago eschewed exploiting browser code -- or even operating-system code, for that matter -- in favor of such popular browser add-ins as Java, Adobe Flash, and Adobe Acrobat.
In fact, Cisco reported a few weeks ago that Java was responsible for 91 percent of all successful Web exploits. Exploits against browsers don't even show up as a slice on Cisco's pie chart. Most environments are running not only Java but also a high percentage of unpatched Java -- the very program most likely to result in compromise. Sure, some people were impacted by the IE flaw, but, on any given day, many more are the victims of Java exploits, phishing, or social engineering.