There was and still is a lot of noise regarding the Internet Explorer vulnerability reported in Microsoft Security Advisory 979352 – including the normal discussion about which browser is most secure. A discussion I do not want to get into here but I think it is necessary to lay out the facts instead of all the rumors out there. George Stathakopoulos, General Manager in Trustworthy Computing and overall responsible for our response processes, published a blog tonight: Further Insight into Security Advisory 979352 and the Threat Landscape which is definitely worth reading for all of you.
I think the most important statements in there are:
The attacks that we have seen to date, including public proof-of-concept exploit code, are only effective against Internet Explorer 6. Based on a rigorous analysis of multiple sources, we are not aware of any successful attacks against IE7 and IE8 at this time.
So, if it really happens that you still run Internet Explorer 6, get off of it – as soon as possible. This basically has nothing to do with the vulnerability in discussion. This is a general security-related activity.
Customers who are using Windows XP SP2 should be sure to upgrade to both IE8 and enable Data Execution Protection (DEP), or upgrade to Windows XP SP3 which enables DEP by default, as soon as possible.