Early in the week it appeared that the exploit took advantage of a vulnerability in Internet Explorer 6, the version of Microsoft's browser originally released on August 27, 2001. Larry Seltzer blogged about Microsoft's ridiculously long support cycles demanded by corporate customers. Why any organization would allow the use of this nine year old browser is a mystery to me, especially at Google!!
Later in the week, we found out that the exploit could be retooled to exploit IE7 and IE8.
In conclusion, let me restate perhaps the obvious point that a defense-in-depth security architecture can minimize the risk of this exploit:
- Next Generation Firewall
- Secure Web Gateway
- Mail Server well configured
- Desktop Anti-malware that includes web site checking
- Latest version of browser, perhaps not Internet Explorer
- Latest version of Windows, realistically at least XP Service Pack 3, with all patches
- Database Activity Monitoring
- Data Loss Prevention
- Third Generation Security Information and Event Management