IE 6 & 7 Unpatched Exploit Goes Wild

Kolargol00 writes "Heise online reports the availability of an exploit (Google translation) for the yet-unpatched MSA-981374 affecting Internet Explorer 6 and 7. It has already been spotted in the wild by McAfee and integrated into the Metasploit Framework."

Re:tough titty says the kitty

[Opportunist]

Most companies still using IE6 or 7 cannot.

Usually you're facing a scenario akin to this: Some external company created a mission critical web applications. Of course a web app had to be it, because it saves you a lot of dough because you don't need to create a frontend, it's already there! You also don't need to roll out anything, it's already part of the system!

Since MS cares really much (/sarcasm) about standards, you had the choice: Doing it for IE, or for the rest. Since IE is part of every Windows installation, and you didn't want to roll out a frontend in the first place (remember, paradigmas are to stick to, even if they become a problem, else your boss might ask "why did you want that in the first place?"), you will create that frontend for IE. IE 6 orIE 7, to be exact, because they, too, are only kinda-sorta compatible to each other.

Fast forward to the present. The company that made your mission critical application already overstepped its allotted budget by about twice its size and is still busy fixing the odd bugs... provided the company still exists, that is.

Are you the one going to your boss telling him that they should stop fixing bugs now and migrate the behemoth to IE8? He will ask for the reason. You tell him about the security problems. He will laugh at you and call you a scaredy-cat.

That was the moment I quitted my well paid CISO position. It became too much of an ejector seat to be comfortable anymore.