It probably isn't news to you that there's been an issue with Internet Explorer and a recently-discovered vulnerability that exposes users of the application to a range of attacks. Certainly we've been getting lots of enquiries about our ability to detect it, and I suspect other vendors are getting the same barrage of questions.
Of course, we understand that people are concerned at the very public recognitiion of a problem that affects so many people and several versions of the application. In this instance, though, the security problem is not a specific malicious program or even a malware family: it’s a vulnerability in the application. The threat is not from the vulnerability itself, so much as from malware that exploits it. There is a great deal of that, right now. In principle, However, "traditional" anti-virus/anti-malware doesn't necessarily detect vulnerabilities - in fact, a scanner that detected vulnerabilities as comprehensively as it does blacklisted malware would be rather different to what we're accustomed to.
As it happens, we are addressing detection of the vulnerability, so that detection isn't restricted to known malware. However, it isn’t enough just to detect the vulnerability, because (a) that doesn’t guarantee that the end user will apply the patch (b) an attempt to exploit the vulnerability may not always trip a coarse-grained heuristic. So we're also detecting specific threats that attempt to use this vulnerability.
Nevertheless, there is a wider issue here. No reputable anti-malware company is going to ignore a security problem because it's basically a problem with someone else's application. However, it's not safe to rely on anti-malware to fix an application vulnerability, especially when there's a patch hot off the presses. Good patching practice is an essential part of a defense-in-depth strategy.
David Harley
Director of Malware Intelligence
