We place a large amount of trust in big organisations when we browse to their sites - banks, insurance companies, telecoms + technology companies, etc. We assume that they're doing the right thing and have appropriate security measures in place to prevent breaches and ensure the integrity of their sites.
Now both of these exploits highlight that large organisations have SNAFU moments too. Unfortunately given their market position, and in Trend's case their security reputation, we can tend to trust them too much.
My take on both these exploits is to:
- regularly review dynamic code injection into your sites (e.g. banner ads); get rid of them where possible and try to restrict the type of content generated.
- perform regular integrity checks on your sites; create MD5 or SHA1 checksums of your site prior to deployment, then check these checksums regularly. Shut down the site if the checksums change.
- make sure you have malware protection software and it's up to date; nothing new in this one really.
- investigate browser add-ons to help prevent malware infection; IE7Pro for Internet Explorer is good, as is NoScript for Firefox
Remember, ultimately you are responsible for the health of your systems. If Trend Micro are able to be compromised, so are you. Don't outsource your security responsibilities. Have a healthy sense of paranoia and apply a "secure by default" mindset when setting up your Web sites and also your Web browser.