The Latest Internet Explorer 0Day

As it happens: I have been skiing last week (the weather was gorgeous) and now I am back (unfortunately) and confronted with the next Internet Explorer 0Day vulnerability, which already causes noise – in my opinion too much for the real technical problem. If you read the blog post of the Microsoft Security Response Center called Investigating a new win32hlp and Internet Explorer issue, you will find the following facts – as far as we know them by now:

  • The user has to be tricked into pressing F1 in response to a Pop-Up (no automation)
  • We are not aware of any attacks exploiting this issue
  • It is Windows XP “only”

This leads me back to the discussions I had with customers over the last few weeks: Windows XP was released 31. December 2001 – 8 years ago. If you would give it 2 years development and engineering time, we are talking of a 10 year old operating system. During a discussion a friend of mine said “your are not driving a 10 years old car neither” – which is not accurate. If you look how the threat landscape developed on the Internet over the last 10 years, you should probably compare it with a 50 years old car. The real problem with Windows XP in my opinion is, that it is rock-solid – but in my opinion not suited anymore for today’s threats. As you have a great alternative now – you should definitely consider moving to Windows 7. And you should move from IE 6 (if you are still there) to IE8!!

If I would have one wish to you from a security perspective: Move to the latest version of your software – everywhere (knowing that this is not an easy task to do)

Roger