After Google hack, Microsoft asks users to abandon IE6, XP

Microsoft is using a widely publicized flaw in Internet Explorer as a way to push users to upgrade both their browsers and operating systems. 

On its Security Research & Defense blog, Microsoft explains that while IE7 and IE8 on Windows Vista and Windows 7 both include the flawed code that was exploited in the recent Chinese attacks on Google, the publicly published exploit code only works against IE6 on Windows 2000 and Windows XP. So the company is urging users to think about upgrading their version of IE, or even their OS (which also results in a newer version of IE).

"As you can see, the client configuration currently at risk is Windows XP running IE6," the blog post reads. "We recommend users of IE6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP. Users of other platforms are at reduced risk. We also recommend users of Windows XP upgrade to newer versions of Windows."

Microsoft's relationship with IE6 and XP is complicated. On the one hand, the company refuses to drop support for IE6 and won't force users to upgrade away from it, and it still makes sure to offer businesses add-ons like Windows XP Mode as well as MED-V. On the other hand, the software giant runs mini campaigns and pushes for users to upgrade away from the ancient applications, usually citing security.

Still, this is the first time we've seen Microsoft actually recommend users upgrade because of a specific flaw, and not just away from IE6 but away from Windows XP completely. Microsoft doesn't say that newer versions of Internet Explorer and later Windows releases are invulnerable to the flaw, but it does explain that they have "reduced risk to the exploit" due to platform mitigations such as IE Protected Mode and Data Execution Prevention.

The company first explained these mitigations last week when it admitted that its own investigations into the highly organized hacking attack in late December had concluded that a Remote Code Execution vulnerability in IE was used by the perpetrators. That vulnerability is triggered by an attacker using JavaScript to copy, release, and then later reference a specific Document Object Model element; attack code may be executed if it is successfully placed in a random location of freed memory. Microsoft has yet to issue a patch.