Archived Blog
Update on the Microsoft Internet Explorer 0-day
01.19.2010 - 4:43 PMWe have created a timeline of the events surrounding the attacks Google, Adobe etc and the vulnerability (click for a bigger version):
Out-of-band patch coming from Microsoft
Due to the attention the new vulnerability has received, Microsoft has announced that they will release an out-of-band patch for Internet Explorer. While a date has not been announced, this means that users will not have to wait until February 9, the next patch Tuesday, to download the fix.
Update: Mirosoft released the patch on January 21 as MS10-002.
Is IE 6.0 really used?
Ever since we heard the reports that it was an Internet Explorer 6.0 0-day vulnerability that was used in the attacks we wondered if there were details about the attacks that weren't being made public. Not only is Internet Explorer 6.0 a very old browser, you'd think that most companies would have updated to a newer version by now; most targeted attacks involve an attachment in a popular file format such as PDF, DOC and XLS. So we took a look at our own website visitor statistics for websense.com and were quite surprised by the results. Turns out that Internet Explorer 6.0 is the second most popular browser reprenting 19.6% of all visits!
In addition, Brian Krebs made an interesting discovery about browsers the other day when he visited his local bank to setup a bank account.