Microsoft's General Manager of Trustworthy Computing
Security, George Stathakopoulos, has released a new statement which
warns information technology departments to change their ways when it
comes to the slow pace of browser upgrades, or risk losing valuable
company information. The statement follows on the heels of a
attack on Google, Adobe, and others, which exploited a memory
flaw in Internet Explorer 6 (and potentially IE7) to gain system
Writes Microsoft, "That said, we remain vigilant
about this threat evolving and want to be sure our customers take
appropriate action to protect themselves. That is why we continue to
recommend that customers using IE6 or IE7, upgrade
to IE8 as soon as possible to benefit from the improved security
protections it offers. Customers who are using Windows XP SP2 should
be sure to upgrade to both IE8 and enable Data Execution Protection
(DEP), or upgrade to
Windows XP SP3 which enables DEP by default, as soon as possible.
Additionally customers should consider implementing the workarounds
and mitigations provided in the Security Advisory."
statement touches on the fact that IT departments also frequently are
slow in adopting new operating systems or service packs for similar
reasons as the browser reticence -- compatibility, cost, etc.
interestingly, Microsoft's statements indicate that attack victims
Google and Adobe (as well as other undisclosed victims) are using the
very outdated Internet Explorer 6. Writes Microsoft, "In
terms of the threat landscape, we are only seeing very limited number
of targeted attacks against a small subset of corporations. The
attacks that we have seen to date, including public proof-of-concept
exploit code, are only effective against Internet Explorer 6. Based
on a rigorous analysis of multiple sources, we are not aware of any
successful attacks against IE7 and IE8 at this time."
somewhat surprising to discover that a cutting edge internet firm
like Google still relies heavily on such a stale browser.
Microsoft says that it still does not have a solution to fix the
memory flaw in IE6 and IE7. However, it says that consumers can
take comfort in that it is only aware of attacks on commercial users
The company concludes, "In summary, we are not
seeing any widespread attacks by any means, and thus far we are not
seeing attacks focused on consumers."