"And whitelists aren't a panacea, either: they don't defend against malware that attaches itself to data files (think Word macro viruses), for example."
But this should be a solved (or at least solveable problem). You have complete control over email in the enterprise b/c you control the mail server.
If you use a service like gmail then you can't even send certain attachments. I couldn't send .zip files the last I checked. Plus spam filtering has gotten better.
I think white-listing could go a very long way towards solving the problem.
What does email have to do with opening Word documents with macro viruses? What does email have to do with opening any data file that maliciously exploits the application opening the data file?
How can a whitelist prevent attack vectors as varied as opening a PDF file designed to exploit your PDF reader? The user cannot always be vigilant enough to know that site X is giving him a malicious file to open. Hell, site X might actually be a legitimate site that has itself been attacked and exploited...
However, I can't receive zip files through my work email which is a policy decision made by our network admins. (You can rename it .zipX or something like that and it will go through. They have been burnt by users clicking on any random attachment and getting Trojans and viruses.)
I don't seem to be able to send an exe through GMail though.
"And whitelists aren't a panacea, either: they don't defend against malware that attaches itself to data files (think Word macro viruses), for example."