Posted by: Troy Tate
attack, Aurora, fixes, Internet Explorer, malicious software, malware, Microsoft, patch, patch management, threat, update, vulnerability
Maybe you have heard about the recent news of the attacks against Google known as Aurora. If you haven’t take a look at the stories returned in the Google news search in the previous link.
What strikes me as interesting about this attack is that the focus is on Microsoft’s Internet Explorer 6. Internet Explorer 6 was released in August 2001. Internet Explorer 7 was released in October 2006. Internet Explorer 8 was released in March 2009. So, the recent attacks focused on a 8+ year old application that has been superceded by two full revisions. Didn’t anyone use automatic updates to update their IE? What kept people from updating IE?
I know that Microsoft has released an out-of-cycle update to address the vulnerability. This is a cumulative update for all currently supported of Internet Explorer. So, will this update get applied to at-risk systems? Hmmm… I wonder since it appears that there is little movement off of older versions of Internet Explorer. The attacks were on well known organizations (Google, Adobe, Juniper). Why would they still be using this older version of IE? It seems like this would raise questions about Microsoft’s penetration of newer operating systems like Vista which would be running IE7.
IE7 had issues with compatibility and html standards. IE8 is much better. Is the compatibility issue so significant that organizations stayed on IE6 rather than moving to IE7 and/or IE8?
Thanks for reading and let’s continue to be good network citizens!