"Microsoft still has not released a patch for a major zero-day flaw in IE6 that was used by Chinese hackers to attack Google. After sample code was posted on a website, calls began for Microsoft to release an out-of-cycle patch. Now, France has joined Germany in recommending its citizens abandon IE altogether, rather than waiting for a patch. Microsoft still insists IE8 is the 'most secure browser on the market' and that they believe IE6 is the only browser susceptible to the flaw. However, security researchers warned that could soon change, and recommended considering alternative browsers as well."
http://yro.slashdot.org/story/10/01/18/2030224/France-Tells-Its-Citizens-To-Abandon-IE-Others-Disagree?art_pos=19 In all fairness, I would imagine that MS is testing a patch. The problem is that regression testing takes a lot of work, especially when you need to test it in conjunction with other patches to make sure that fixing this problem doesn't create THAT problem.
And in even more fairness, a PC World columnist says that abandoning IE is not a cure-all for security problems. And he's right. The attackers used multiple tools to compromise Google and others, ONE of these tools exploited a hitherto-unknown hole in IE. Adobe just fixed a zero-day flaw in Acrobat that could have been used in this attack, we don't yet know.
There are a couple of interesting quotes in the latter article:
I asked Kurtz about the irony that Google, makers of the Chrome Web browser, could be compromised by a flaw in Internet Explorer. Shouldn't Google be using Chrome?
Kurtz replied "It is easy to come to that conclusion, but IE is ubiquitous and is used in almost every corporation. Keep in mind, there are many enterprise applications that only work with IE--so it is difficult to just mandate an alternate browser even if you are the creator of that browser."
I'm a little surprised. As far as I know, Google uses an OS that they built for their servers. Their developers use in-house tools for their coding, so why would they be running Windows? Most likely explanation is that the attack came in through the corporate-side. Chances are their marketing and accounting departments are using Windows.
While research indicates that the Internet Explorer zero-day used in the attacks could be used on any version of Internet Explorer, even on Windows 7, the initial investigation suggests that the systems targeted were actually using Internet Explorer 6 on Windows XP. Simply using a current operating system and a current Web browser would have afforded significantly more protection.
Now this is just sad. I realize that there is huge inertia in IT in large organizations to upgrade operating systems, but this is just sad. There's no reason that Google couldn't have at least been running Vista, which, for all its multitudinous faults, is still more secure than XP. For that matter, they could have been running IE 7 or 8 on top of XP: I know for a fact that it's possible as I run IE 8 on two XP machines.
Interesting stuff.
http://www.pcworld.com/businesscenter/article/187119/dont_kill_the_messenger_blaming_ie_for_attacks_is_dangerous.html Corporate IT inertia is a huge thing, and sometimes architectures just don't do what you want them to.