One Microsoft Way (January 18, 2010)
"Microsoft is using a widely publicized flaw in Internet Explorer as a way to push users to upgrade both their browsers and operating systems.
"On its Security Research & Defense blog, Microsoft explains that while IE7 and IE8 on Windows Vista and Windows 7 both include the flawed code that was exploited in the recent Chinese attacks on Google, the publicly published exploit code only works against IE6 on Windows 2000 and Windows XP. So the company is urging users to think about upgrading their version of IE, or even their OS (which also results in a newer version of IE)...."
"Assessing risk of IE 0day vulnerability"
Security Research & Defense (January 15, 2010)
"Yesterday, the MSRC released Microsoft Security Advisory 979352 alerting customers to limited, sophisticated attacks targeting Internet Explorer 6 customers. Today, samples of that exploit were made publicly available.
"Before we get into the details I want to make one thing perfectly clear. The attacks we have seen to date, including the exploit released publicly, only affect customers using Internet Explorer 6. As discussed in the security advisory, while newer versions of Internet Explorer are affected by this vulnerability, mitigations exist that make exploitation much more difficult. We would like to share a little more information about both the vulnerability and the exploits we have seen to help you understand the risk to your organization...."
"...Ways to block Code Execution
"The vulnerability is present in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. All versions may crash after opening the attack code. However, there are a number of ways to limit the attack to an IE crash and prevent attacker code execution...."
Good Advice: But I'm Not Taking It - QuiteMy computer, the one I do practically all my work on, is over five years old and uses Windows XP. I'd upgrade: but don't have the budget for it. Yet.
On the other hand, I've got pretty good security: malware scans on a programmed schedule, a protocol I follow when downloading files: and I don't use Internet Explorer unless I absolutely have to.
Some companies, for reasons or unreason unknown, won't do business online unless transactions are mediated through IE. I avoid dealing whenever possible, but sometimes - - -.
I use Firefox, the most recent upgrade (3 point something now). And have my security software watching Firefox.
I like to think that Microsoft is doing a better job these days, of making Internet Explorer a comparatively safe browser. But: trust IE, with its track record for security issues? I think not.
- "Google Gmail Accounts Vulnerable, China Hack Went Public"
(January 18, 2010)
A tip of the hat to Twitter_Tips, on Twitter, for the heads-up on the article.