As it happens: I have been skiing last week (the weather was gorgeous) and now I am back (unfortunately) and confronted with the next Internet Explorer 0Day vulnerability, which already causes noise â€“ in my opinion too much for the real technical problem. If you read the blog post of the Microsoft Security Response Center called Investigating a new win32hlp and Internet Explorer issue, you will find the following facts â€“ as far as we know them by now:
- The user has to be tricked into pressing F1 in response to a Pop-Up (no automation)
- We are not aware of any attacks exploiting this issue
- It is Windows XP â€œonlyâ€
This leads me back to the discussions I had with customers over the last few weeks: Windows XP was released 31. December 2001 â€“ 8 years ago. If you would give it 2 years development and engineering time, we are talking of a 10 year old operating system. During a discussion a friend of mine said â€œyour are not driving a 10 years old car neitherâ€ â€“ which is not accurate. If you look how the threat landscape developed on the Internet over the last 10 years, you should probably compare it with a 50 years old car. The real problem with Windows XP in my opinion is, that it is rock-solid â€“ but in my opinion not suited anymore for todayâ€™s threats. As you have a great alternative now â€“ you should definitely consider moving to Windows 7. And you should move from IE 6 (if you are still there) to IE8!!
If I would have one wish to you from a security perspective: Move to the latest version of your software â€“ everywhere (knowing that this is not an easy task to do)