First, end-point monitoring: always make sure end-users are updating their browser and plugins to the latest version (especially Flash!).

Second, I suppose companies could force a secure browser config out to end-users and train those users on their secure use. This may be more secure, but it is not cheap, and not likely to get much traction. I can't imagine trying to get Keith in Finance to understand how scripts work in his favorite websites. But if you have a smaller user base and great systems support, this could very well work in small or mid-sized organizations; and some larger organizations will really be able to enforce that level of control. This is especially relevant where companies have segmented user groups based on criticality, like PCI. Implementing something like this in all machines in the PCI zone could actually work pretty well.

The easiest method would be to shut off the Internet except for approved sites via a proxy; and by approved, I mean "business sites." As we have seen, even legitimate sites have been and are affected by this. In this day and age that's not a common occurrence; tell users they can't use the Internet anymore. But with the surge of smart and now super phones (you go, Google!); people can still get their Internet content easily so it's not the deal breaker it once was.

Realistically, the best solution is probably a 3rd party service similar to an SSL cert that attests to the validity and safety of the ads that appear on that site. Thus, before your browser loads an ad it checks with the 3rd party to confirm that ad is approved. This has been discussed before and is a long way off from becoming a reality. (Having said that Google, being Google, will probably launch this service next week).

There are several new in-the-cloud offerings that aim to proxy all Internet traffic from companies and scrub them for malicious actions such as this but they're in beta and relatively juvenile. But certainly as such an in-the-cloud offering becomes more prevalent, like Google, you can bet that the marketplace will recognize the need, and more of this type of service will spring up.

So what can be done now? Who knows? It really is up to each organization to weigh the possible solutions against their culture and risk. As much as I would like one, there is not an "easy button" for CSO's to look at to solve this issue. No silver bullet or product to buy (outside of rolling out hundreds or thousands of copies of dedicated malware protection to each PC) and each "solution" has its own unique challenges.

If there is any good news here, it is that at least to this author, this attack vector has not been used to spread many viruses and worms. Since it has been contained to individual infections, for now it has largely been a problem companies may actually be able to ignore. But will this trend stay that way for long?