STBY...
What's the problem?
Exploit code targeting the Internet Explorer vulnerability used against Google and other companies has gone public, increasing the chances that broader attacks will soon follow. Both the open-source Metasploit framework and the commercial Immunity Canvas software for penetration testers have working exploits that fully …
Lots of people who have no idea what they're doing to the point of not noticing when firefox gets swapped out for internet exploder by some installer or nagware, and I'm told large corporate environments with internet exploder-only intranets. Neither of whom will be exhorted by pieces like this to finally update; the former won't update because they haven't a clue and may not even be able to thanks to "windows genuine advantage", and the latter because that's a policy decision, and the pointy hairs that must approve it (can't really say "are responsible", can I?) only see a cost centre there and they were told to save on costs by on high.
and has some nice features such as inprivate. Moreover it is far quicker than FF3.0 or 3.5 in my experience.
I mainly use FF3.0 principally because it behaves well on my system compared to 3.5 plus there are several critical add-ons that I can manage without. I also use Opera 10 for some online banking sites that play well with it.
Chrome i will not touch. Well, I did actually try it one and it was slooow. But basically i do not trust Google at all. Probably a NSA/CIA job more so than M$.
Then from time to time I boot up Ubuntu and occasionally play with other flavours of linux, using browsers like Konqueror and of course FF, but the font rendering does my eyes in on linux, just nowhere as smooth as Windows.
As for IE8, I use that for intranets, work related sites that I trust, but also, surprisingly, for the banking sites that do not work with Opera...in preference to using Firefox because I ultimately do not trust add-ons enough to let loose on my financials. IE8 with a sandbox (sandboxie or the new one within Kasperky 2010) is definitley quicker, smoother and no less secure than the others. Junk definitly not.
"As for IE8, I use that for intranets, work related sites that I trust, but also, surprisingly, for the banking sites that do not work with Opera...in preference to using Firefox because I ultimately do not trust add-ons enough to let loose on my financials."
You could define another profile in Firefox, with extensions disabled, if you like.
Just a thought.
Correct, junk is far too polite a term, IE is utter garbage,
Why should you have to prop up a web browser thats so terminally in secure with products like Sandboxie? which is to be honest one of the few ways I would trust using IE & go to sites that I was sure were safe
But to be fair, most web browsers need a re-think / re-write in the way they work to prevent exploits, its just that IE is the one thats by far the biggest security risk.
My place of work also makes us use IE6 and doesn't allow us to install any software. I forget the reasoning, but there is a specific complaint about IE7 and 8 that means they refuse to upgrade the systems to it (since even 7 or 8 would be better than 6).
Thankfully I can use Firefox Portable, but unfortunately since the company officially uses IE6, any web development I do has to be compatible with it - that increases development time exponentially.
It was the same at my previous place of work too. Most slightly tech-savvy people I know use Firefox. I've even got my mum using it. I do occasionally see friends using IE because they don't know there are alternatives, but the real reason why IE6 remains such a lingering curse is the corporate usage.
Think corporate.
You can't install anything on your own. Every bit of software has to be green-lit by empty suits in IT management. Too many internal sites built too long ago for IE 6, and companies aren't willing to update for fear it might cost money.
Beer, because I need one.
"IE is has less bugs whether you like to admit it or not." - I can't recall anyone suggesting otherwise. This hasn't got anything to do with the amount bugs at all. It is a pointless and meaningless metric. The problems with IE are many though. The bugs that it does contain have the potential to cause lots of damage to it's host OS, and as (unfortunately) the majority still use a variation of it, malicious individuals will target its weaknesses and shortcomings. Like it or not, Microsoft have a duty of care to make sure that their products, paid for or free, should be as secure as possible. This isn't a slight on Microsoft as Mozilla, Google, Apple and all the rest have the same burden of responsibility, with the latter often being *as* bad.
"Why would corporates waste money rolling out a different browser..." They wouldn't necessarily. This is an overused and ill conceived argument. The cost of redesigning and redeploying an intranet could be high and that'll teach the companies affected the cost of using non-standard proprietary solutions. The cost savings made by opting for a more secure browser could be huge! Don't forget either that enterprise is only half of Microsoft's market. Any kind of shift in the consumer market has the potential to do more damage, and is far more likely. The German government for instance is suggesting that it's better to use an alternative to IE for security reasons. The damage to the Internet Explore brand, like the Windows Mobile one, could be huge.
When Firefox, Opera et al can be installed, configured and locked down via Group Policy, they may have half a chance at reducing Internet Explorer's dominance in corporate networks.
Until then, most companies will take their chances with IE, ours included. Say what you will about alternatives being safer, faster or more user friendly; sysadmins working on a Windows domain would have to be crazy to use anything other than IE.
Like the Germans said, the setting that makes IE 'sort of' secure also makes it all but unusable. FF meanwhile is at least 'sort of' secure while remaining eminently usable. In a less-than-perfect world, this seems a reasonable comparison between a 'junk' product and a quality one, all else being equal (which, of course, it is not).
that these leading tech firms aren't too savvy when it comes to their own security, as if we didn't already know.
Glad to see the solutions are already mentioned, surprised (or maybe not) that these leading tech firms weren't already in possession of that knowledge, it's not as id DEP hasn't been mentioned before in previous attacks of different kinds. Or is it IT policy, that once a patch has been released you can turn DEP off. No I don't think so, once turned on , DEP can only be allowed to filter for various applications that you have to manually define.
So the problem is only being further enhanced by poor security in these firms to begin with, something which we're all aware of now too..
On another level, why are these companies using a browser getting on for 10 years old still, have they not heard of progress, yet they still try to foist their "new" version of their product onto me every 6 months. Whilst you are right to highlight the part played by IE6, maybe the focus should now switch to the security in place in these firms.?
Sorry, but saying you "think" implies actual "thought". Or maybe "thinking" for you is synonymous with "regurgitating".
Try "reading" THEN "thinking".
The recent hacks were perpetrated by launching phishing expeditions against normal users in their own homes who were duped by the ruse into opening malicious links that used this MSIE ZERO-DAY EXPLOIT (and possibly others) to compromise those USERS' WINDOWS systems and gain access to their Gmail (and other account) credentials to be used as points of entry into the Google (and other companies) network.
This was not a Google hack, or for that matter a hack on any of the other companies involved. This was a MSIE exploit, and as such was not something that Google or any of the other companies could defend against.
Twit.
Is it really? The source for Windows (and IE) is hardly *that* difficult to get hold of. (The Chinese were *given* it by Microsoft a few years ago.) Given the source, you could run LINT or similar tools over it and zero in on uninitialised pointer problems without no more effort than it takes to wade through the tool output. (Given the quality of the MS code I've seen, there could be quite a lot of that, but the task is fairly parallelisable, and China has lots of smart people.) Some individuals who enjoy the backing of the Chinese military probably know the codebase better than Microsoft's own developers, particularly the codebase of IE6 which remains a major target for attack but which has probably fallen off Microsoft's radar.
The plain truth is that IE is just as "open source" as Firefox, at least to those who matter.
That this only impacts users of Microsoft's 2001 OS platform.
Out of the box Windows Vista and Windows 7 prevents this hole from being exploited through Microsoft's Trustworth Computing initive.
Anyone using IE6 on Windows XP in 2010 deserve's for their 8 year old system to be pwned.
You can go back, and not very far back, through articles here to find the one about workers being disciplined for doing unauthorized upgrades of IE on their PCs from IE 6 to IE 7. IE 6 was the "blessed" one and no-one was to change that or, more particularly, challenge management.
As a (very smart) manager of mine once said, "Sometimes you just need bodies hangin' from trees".
"As a (very smart) manager of mine once said, "Sometimes you just need bodies hangin' from trees"."
Well you've got 34 bodies swinging now, but I don't suppose it will help if the very smart managers refuse to open their eyes.
As the article points out, IE8 is considerably more resistant to this attack than its predecessors and that corporate intranet probably does work with it, but if you never bother to try it out then you'll never know. As I noted earlier, IE6 is basically an open source Trojan as far as the black hats are concerned, so just how smart a manager do you have to be to insist on keeping it?
2003 - "Lets save some money. Lets build our enterprise, business critical application to run in IE 6. Isn't that neato? It is so much faster and cheaper than building a "real" application
2006 - No, we can't upgrade to IE7, it will break all our stuff.
2009 - No, we can't upgrade to IE8, it will break all our stuff.
2010 - No, we can't use our stuff anymore, IE 6 compromised our entire system and broke everything!
Guys/gals, can I point out the obvious? Exploits are found in IE because IE is the most popular browser out there. Do you seriously think FF, Chrome or Opera don't have similar and possibly worse security holes in them? Look at the percentages:
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
Firefox use is increasing, but it's still better to try and exploit IE than anything else, especially as it's more common in corporate environments.
The NHS Choose & Book system for queuing patients up to new referrals to hospital clinics requires IE6.
It is written to use some Active X thing, so the existing central stuff won't work with anything but IE, but I am pretty certain that somewhere in the closed source of it there is a line saying
If BrowserID != "IE6"
blow raspberry
exit
It would be odd if it was only general practice that had this stuff imposed on it, I assume that appointment departments have the same interface.
It wasn't my idea, and losing Crash & Burn would be no great loss for patients or professionals, but the NHS does seem to be hoist on a petard there.
What I don't understand is why M$ is not having to pay the losses of the effected companies and individuals.
M$ have been getting away with coding rubbish for years and now most people believe their BS that it is impossible for anyone to write code of any size that works.
M$ clearly are unable to produce any stable finished products and have been selling products that are unfit for purpose, so why are they not ip in court?
Because making software companies liable for bugs in software is unbelievably stupid, especially in software offered for free. Would you like Mozilla to be bankrupted the next time a firefox bug is exploited?
IE is attacked often because it's the most popular browser. It (IE8 at least) actually has much better protection against exploits than Firefox. If people actually had these enabled, this exploit wouldn't have been possible.
Firefox has had bugs that have been left unpatched for long enough for an exploit to be potentially coded for it. However exploits are increasingly targetting plugins like flash and PDF. I've caught incredibly hard to remove viruses browsing with Firefox (doing nothing other than visiting a page). They even managed to get past my virus scanner (which only detected it once it was too late)
That being cost, M$ charged for a finished product and like all the other M$ OS products in the past it is full of holes. Mozilla don't charge and if it doesn't work then you have lost nothing, if your data is damaged by malware that comes via a free product then it was a risk that you knowingly took.
Take Vista/W7 as an example or windows NT/2000 they have the same story, MS take a load of fixes they should have released for free and sell them as a new product. The only stupid idea here is the one that makes people keep giving M$ money for a job they never finish.
MSIE is hacked most often because it is a direct line into the OS core, AND because it is is far easier to hack than the rest of them. Both reasons make it a very tempting target.
Firefox hacks, that would be great for ... umm ... crashing Firefox. I suppose I could invest my time in writing hacks for Firefox in an attempt to exploit a buffer overflow, but that's so 2008.
If I really want to take over a system remotely, I need a vector into that system's core, and MSIE provides just such a vector. It literally IS the shell. (Yeah yeah ... explorer.exe/iexplore.exe whatever. If you start rambling on about how MSIE is NOT the shell, you're clueless. Try not to embarrass yourself.)
Perhaps there is some middle ground? Make companies liable for bugs in their software, but limit that liability to the licence cost. Open source and free software suppliers would have nothing to worry about. Microsoft would still face a hit as you must have a Windows licence to use their browser.
Even though you may be(read ARE) right, you'll win no friends speaking the truth on these pages. I'm afraid the Firefox and Linux brigade here, are like religious zealots. In fact it's probably best not to say anything too much at all, like the warmth of Heroin, these people believe that remote exploit code for Linux is but a myth, for the same feeling of all is well in the world that it gives them. Firefox being of course, the shared needle they all use.
Stats for my own website (admittedly a techie site):
----------
Firefox 44%
IE 42% (IE6 52%, IE7 20%, IE8 28%)
----------
Windows 91.0%
Linux 5.6%
Mac 3.0%
----------
Browser/OS combined:
IE/Windows 42%
FF/Windows 38%
----------
This isn't a very long way from stats for general websites. So why are there far fewer reports of FF vulnerabilities? It's obviously not the numbers. It may just be that FF *is* more secure. It may also be, of course, that anyone who's got anything worth stealing is running IE6, but that's a different argument.
And to state the obvious: the bad guys have the IE6 source, but the good guys don't. It will obviously be exploited, and the rest of use won't find out till the attack has happened. Everyone has the FF source, so there's a good chance that vulnerabilities will be fixed before they're exploited.
Really? And you are not just a Windows zealot? What strikes me is that time and again, we'll see an article stating facts about a security flaw in a given product and at some point someone will cry bias and that everyone is giving said product a hard time because they are zealots/fanbois of a competitor. Irony or stupidity? Honestly this "Windoze is teh best! No! CrApple is teh better! No Linux FTW" has got to stop.
"I'm afraid the Firefox and Linux brigade here, are like religious zealots."
Really? You're the one who froths at the pulpit every time there's an unfavourable MS story. Stop projecting your rabid fanzorpathology on to the rest of us please.
And can you leave Dan alone now please. He's not interested. It's time you moved on. It's getting embarrassing.
The only reason to use IE in a corporate environment are legacy ActiveX controls. Unfortunately, DEP "breaks" many of those and a bunch of add-in's as well. Unfortunately, DEP is an "all or nothing" setting, you cannot selectively disable it for "trusted" or internal sites.
I've been trying to push for Firefox at our company, and implement IE Tabs when we have no choice but to use IE. Since Firefox configuration can't be managed through GPO's, it has been a difficult sell to the guys that manage the workstations and AD.
The quality and security of the computing experience seems to be nosediving as we plummet headlong into the "browser is the OS" mentality.
Mine's the one with the application installation CD, that I can install and not worry about whatever goddam browser or plug-in revision I have. Bring back statically linked executables. You can keep all of your frameworks, dynamic libraries, shared objects, JVM's, Silverlight/Flash and 50 other ways to waste my time guessing whether my app will work or not. Get off my lawn.
"The only reason to use IE in a corporate environment are legacy ActiveX controls."
Legacy? I wish it were! Corporate IT idiots still tend to push "web applications" that somehow depend on IE. If not DefectiveX, then some other nonstandard stuff that makes use with other browsers a less than satisfactory experience. And justify this by saying "INTERNET EXPLORER IS THE CORPORATE STANDARD BROWSER", if questioned. :-(
Most people retarded enough to have IE6 still on their machines, will probably have an outdated version of FF as well. In an Enterprise enviroment its more secure as it can be updated from a central location, and patch status can be monitored centrally.
Also free software is genrally free because you wouldnt pay for it. Its too cock handed, out of date, and useless at running apps to bother with. Thats why we use Windows.
Lets face it using MAC is like using a crayon instead of a pen. And using Linux is like trying to sign your name with a high powered laser. Windows sits happily between them both, its like a biro its not great but we love it.
"Lets face it using MAC is like using a crayon instead of a pen."
Wouldn't it be more accurate to say that using Windows gives ordinary folk an insight as to what it must be like to be autistic.
Security is only the secondary reason why Windows must die. The main reason being that it is such a bloody awful awful interface. Most Windows users give up on trying to do anything beyond web browsing and email. Mac users by contrast use their computers for video/photo editing and other creative pursuits that average Joe Windows user has long given up on.
Yes, you could liken Windows to a biro. Half the time you come to use it and find it's not working properly.
As for the Mac, you can be sure that the crayon has been carefully contoured to enhance the user experience and it'll be available in a range of aesthetically-pleasing colours.
Linux is more like a pencil - easy to remove mistakes and you can fix it when it breaks.
Surely every OS uses MAC? Media Access Control is an essential part of the modern networking stack, is it not? Or are you talking about the cosmetics company, in which case I guess that you are right! Trouble is, Davey Boy, it's not just about the enterprise, is it!? Oh, you mean OS X. No, it's about the same as using Windows or Linux you moron...
If ever we need a example of why a browser should be simple and compliant then this is it. Most coporates use IE 6 and upgrading it is difficult with all the non-standard stuff that it does. I get really ****ed off when I heard some colleagues talking about using Silverlight. Even worse when they suggested it should be externally facing. While most people want nice websites this can be achieved by using current standards. Get rid of the extra stuff plug-ins etc and then the browsercan be independent of the application and OS.
IT should be avoiding lock-in and IE is exactly the reason we need to avoid it.
I'm sure stats are pretty representative of all web sites available No issues with stats at all.
Bear in mind of course % market share owned by "Windows" versus any other platform.
Whilst not disputing the vulnerability in IE6, all the evidence points to the fact that both IE's 7 & 8, are more secure than IE6. Firefox whilst still a good browser is no more or less secure than any other browser, if you wanted to exploit FF code you could. Safari browser also operates under a closed code like IE, however is Safari more or less secure than IE any version? i think not, seeing as it has proved to be hackable in a tad under 10 seconds, and seeing as that too was in an article that Dan wrote, I'm sure he can confirm that for you.
Also whilst the focus appears to be on 10 Yr old technology at the moment ie IE6, we're all overlooking some major points. The attack is also vectored by a malicious web site, social engineering and sloppy work practices. How the attack in the wild will vary is anyones guess. However I'm sure less gullible people than the leading tech officers at leading tech firms will fall for some scam one way or another.
If they're still using an unpatched version of IE6 on a pre SP3 version on I would guess an unpatched XP os, and it appears at the moment that only 34 companies actually fit that bill.
Stop bashing IE6 and it's lack of standards support. IE 6 is 9 years old. Something which seems to be forgotten by its critics (or maybe they were still spotty teenagers at that point). In 2001 there were no free standards compliant browsers. IE6 was a step up from from the other free browser at the time and the ink had barely dried on the standards documents of the time. However big enterprise saw the IE as a way internally standardising it's work across a common tool (IE6 - NOT HTML).
Intranets were developed based on IE6 NOT because the IT bods at the time were incompetent, but because there was no better solution. Especially one which could be linked into existing the MS office infrastructure and/or developed in a largely wysiwyg fashion using Visual Studio. This is a key aspect. Well trained admin staff could and can hack something useful together using various MS tools - no need to pay external "IT consultants" 100 quid an hour to produce junk when you can get your admin staff to do it for free.
So the fact that intranets were built on IE6 in 2001 is not stupid or irrational. It was logical at the time. And, the fact that these intranets still require IE6 in 2010 is likewise not stupid or irrational. Why fix something that works?
No, IE6 is not lock in. Nor is the NHS (one of the worlds largest employers) stupid to still support it. The idiots are those who ignore it and pretend it doesn't exist or ridicule those still using it. Would you rather the NHS spent 1 billion upgrading it's systems to IE8 (or FF or Chrome or Opera or whoever) or 1 billion on hospital equipment? We develop sites mainly for the UK health care, charity and council sectors. The stats for most of our sites indicate 25% market share for IE6.
"Intranets were developed based on IE6 NOT because the IT bods at the time were incompetent, but because there was no better solution"
No, they were developed for IE6 because it was already built in to Win. That was MS's strategy (it worked!) and it's why the EU got annoyed. IE6 wasn't the best solution, but when your exec says "why do you want me to spend time and money getting another browser approved when there's one already there?" do you argue, or do you just go with the flow? Remember, it's not your neck on the line unless you force through another browser.
Vendor lock in doesn't mean you can't move to another solution, just that it's expensive to do so. IE6 falls into that definition.
As to "why fix something that works" - depends on your definition of works I guess. The solutions do what they say on the tin, but they also leave a gaping hole in your corporate security. Would you say that a corporate webserver that works (i.e. serves pages) but also gives unrestricted access to the coporate network doesn't need fixing?...
IE6 was built into Windows, but seriously, what else would you have used in 2001?
Firefox wasn't around then, and Opera was ad-riddled crapware. Safari didn't even exist on the Mac, let alone Windows. Netscape was dead in the water and Mozilla hadn't reached a stable release.
I know we have a rich and competitive Windows browser market now, but this simply wasn't the case 9 years ago. As much as you'd like to deny it, IE6 really was the best solution back then.
Opera's been a flexible, fast, standards compliant, multi page web browser since 1996 and Windows 3.1 and 95. But back then you had to buy your copy (shareware trial). Which I did. Between 2000-2005 you could have it free with advertisements displayed. Since then you can just have it free. You can have pages without graphics for speed until you press the magic button, and you can have over-wide pages zoomed or rearranged to fit your screen or window size. Microsoft's own web sites deliberately test whether a user is using Opera and then send ugly or broken web pages back. Really. Or, they used to; mostly Opera works well now even on Microsoft sites. Now Google I don't know about.
If running advertising in software offends you, remember that you now have to hate and despise Microsoft Office as well. Its new version runs commercials too.
My point re the intranets is to not think of IE6 as a web browser - but as a desktop app that can access an internal network in a standardised manner. As for the security issues. In the sort of organisation where it is forbidden/not possible to upgrade IE6 one would assume the network admins have locked it down with very high security settings as well as removed admin rights from local PCs and have firewalls in place and banned access to 99% of the web etc.
Also,re vendor lock in and in-built browsers: what else would they have chosen in 2001?
Remember: all browsers were essentially new at the time (I know they have been around since the early 90s, but I'm referring to them as a consumer product). So if your choice of product is going to have consequences 10 years down the line are you going to choose from something new from a young startup or are you going to choose something new from an established computer software giant? It's not MS's fault that companies like IBM, Sun or Oracle (ie companies big enough to be a good bet to be around in 2010) didn't bother to produce a web browser. I am sure there are plenty of intranets built on Oracle that are tied to IE6.
I don't agree that IE6 was vendor lock in at the of the enterprise level. It is for the home user since they won't know the difference. But at the enterprise level? Sorry there was no other choice in 2001 and it was not due to vendor lock in.
I think it's you who is lacking in familiarity.
How was Netscape any better at standards compliance than IE6? We're talking about 2001, not 2003 or whenever Firefox came out. And we're talking about intranets not public websites. IE6 is still around because that's what many intranets are still geared towards, not because anyone (including MS) actually think it is a good browser.
"MS went out of their way to ensure IE6 and its developers wouldn't follow standards."
This was only true after 2001. MS went out of their way not to develop IE6. When it was released it was no worse really than the other browsers around at the time. MS also went out of their way to ensure that it was easy for existing MS based developers to build stuff into it. That is why it got such wide spread support at the enterprise level. A bit like Firefox's plugin architecture made it a hit with web developers.
We cant use opera/firefox here for two reasons. One, our MMS uses IE. Plain and simple. Two, GPOs dont really work for firefox and the buggers find ways around it. We whitelist applications installed to stop pocket browsers too. That being said, I do at least run IE8 (installed with GPO and IEAK rather than WSUS as we can then use mandatory profiles with generic installs and no nag screens).
Still, its not hard and DOES seem to work.
Sorry for upsetting you and/or your boyfriend. Perhaps when some reality enters into your imagination you'll be able to comment objectively.
What started out as a story about Google wanting to exit China has drizzled out and down to a story about an IE6 previously unknown bug (which may or may not be news), into a story about a plain 'ol phishing attack, which happens everyday to countless numbers of people, only this time the victims were a bit more high profile.
The only embarrassing thing occuring here is a) you outing, and b) the complete lack of background,knowledge and reporting ability shown by either yourself and /or your boyfriend.
John, to put it simply, this story has been covered in one form or another countless times by the same author, and others and yet nothing changes, perhaps there's a moral there, or for you perhaps amoral there.
"...this story has been covered in one form or another countless times by the same author, and others and yet nothing changes, perhaps there's a moral there, or for you perhaps amoral there." Yes, there is a moral. Microsoft should fix Internet Explorer. Simple really!
You seem to be suggesting that Dan Goodin is anti-Microsoft. Seems to me that he reports largely on IT security issues. Since this whole story is about a security hole in a browser family that commands about 55% of the market share, your beloved Microsoft should be called on it! You'd be braying if this story was about Safari, Chrome or Firefox! You come across as a Microsoft zealot.
What's really embarrassing is your puerile retort. The fact remains that there is published security floor and Microsoft seem to doing sweet Fanny Adams about it.
So the fact that no-one else seems to have trouble browsing the office website didn't make you think "Maybe it isn't IE8 that is the problem."? You just twiddled a knob until the symptoms went away and investigated no further.
That's fine for the proverbial grandmother, who is unlikely to find the real reason no matter how hard she looks, but it certainly isn't a legitimate reason for a corporate IT department to stick with IE6 and its many known risks. At the very least, they should be taking steps to block IE6 as a client for external web-sites, thereby forcing everyone to use a better browser for everyday work.
The moral is obvious.
Yes you are right. And to be fair hindsight is 100% perfect.
No, infact, I don't bray, and unlike you I manage to read all the comments, not just jump on the ones I don't like, I know this, because you wouldn't make such a sweeping statement about me if you had read all the comments to start with.
Yes, on a theme this story has been reported many times, a trojan attack against IE.
This one esily defeated, already many AV combat this. The attack is simply an XORed trojan payload and .Gif. How many times has this been reported, in one form or another.
In fact, I wouldn't be surprised if this didn't get patched by MS for a few months yet, AV, and any good Intrusion Protection software will stop this for a good long while yet.
But that's hindsight, so I still stand by what I said, only I'll reitirate one more point, that I haven't for a while against Mr Dan Goodin, scaremonger in chief.
FFS, let the story run without the sensationalistic crap that Dan gives it, it's not me alone who recognizes this shit for exactly what it is , pure shit, and boring at that.
The news was Google got hacked, and that should have been the point and focus. IE6 is 10 years old technology, I'm surprised an elementary kid can't rip the guts out of it.
Which brings me back to you Mr Anonymous Coward.