Not all vulnerabilities are created equal. It’s true. In a perfect world, organizations should be able to patch every vulnerability on every client immediately. But we don’t live in a perfect world. Some vulnerabilities pose a much greater risk to the organization than others and should be prioritized.
Zero-day browser vulnerabilities are one of those critical threats that should be fixed as soon as possible. Given the pace of today’s cloud transformation and the changing nature of work, browsers are the most used application in the modern enterprise. According to Microsoft, Office 365 is now used by one in five corporate employees worldwide.
So when Microsoft and Firefox both recently issued alerts about new vulnerabilities in their respective browsers, enterprises should have paid attention and done everything they could to patch any affected systems throughout the organization.
Microsoft’s advisory alerted Internet Explorer users to a known vulnerability in the browser’s scripting engine and admitted that a patch was unlikely before next month’s Patch Tuesday release. Perhaps ironically, the announcement came just days after the company ended support for Windows 7. In the meantime, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) warned users that attacks targeting the vulnerability have been detected in the wild.
Since these alerts, Menlo Security has seen more than 7.7 million browser sessions using vulnerable versions of Firefox—the majority of which are in Asia, followed by the Americas and Europe. Thankfully, all 7.7 million of those browsing sessions run through the Menlo platform resulted in zero breaches—regardless of whether the browsers had been patched or not. The same is true of Internet Explorer users. No browsing sessions run through the Menlo platform have resulted in a breach.
This level of protection is by design. The Menlo Security Secure Internet is built on an Isolation Core™ and employs a Zero Trust Internet strategy that assumes that all web traffic is risky. The global web proxy blocks known malicious sites and isolates everything else in a remote browser in the cloud. It doesn’t matter if there’s a known or unknown vulnerability. No content—whether it is malicious or not—is executed on an endpoint browser, where it could potentially do serious damage.
Why would you ever bet your organization’s security on the ability of software vendors to detect and inform you of vulnerabilities, and your IT security team’s ability to quickly identify and patch affected systems? Wouldn’t you rather just know that you were protected at all times—regardless of vulnerabilities and patch state? Seems like an easy decision.