The long release cycle of internet explorer is a very big problem for ie users, unfortunately most of them don't even now what a browser is.
Note that I'm not recommending that anybody use IE. I'm just pointing out that it does get automatic updates, just like other browsers.
Users find that they hate trying to reboot (or start up) one day and then wait for 30 minutes while their computer does nothing more than display a "Now installing update 3 (of 30)..." screen. (This is especially obnoxious on big Windows Server installations where this process can take a server down for an entire weekend.) Or they hate being nagged all the time that there are updates available. Or they hate having their computer insist every five to ten minutes that it needs to be restarted now. Or they're gun-shy about it because an update once changed the layout of Windows Live Mail and left them completely confused about why it was suddenly so different even though they hadn't changed anything.
In one fun case, we had a corporate client disable automatic updates for their entire research lab because one night Windows update decided it needed to automatically reboot every single system there. They were running overnight experiments and came in the next morning to find that all of the night's data was missing or corrupted, costing them a day on a tight schedule.
Microsoft does software updates in a very, very wrong way, and that means that a rather large number of people think it's better to just ignore the updates.
Bullshit. Its time for us to get off our high horses and realize its not 2001 anymore. Users know what a web browser is, its the thing they use "to surf the internet." Just like MS Word is the thing they use to write a document.
Doing tech support work interacting with the generally computer non-literate is like civil service for the tech world. It's not pleasant but it expands your perspective, and many HN readers would do well to go through it.
If you are running IE on Windows XP and you've taken no other steps to protect yourself (like running EMET, SandboxIE, or another mitigation), then it's your own damn fault that you got owned. On the other hand, take a look at how many exploits for IE that Rapid7/Metasploit has that support Windows 7: 0.
The article specifically states that on Windows 7 the attacker obtains the privileges of the current user.
Microsoft's advisory agrees:
http://technet.microsoft.com/en-us/security/advisory/2757760
"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer."
What's more, most people run with administrator privileges on Windows 7/Vista/XP because that's the default.
I find packaging up 0-day's into point-click downloads for metaspliot and the likes akin to giving a small child a loaded gun, but thats me I guess. Will only encourage the digital-vandals (media calls them hackers, bless).
Take the recent Java 1.7 vuln (3 weeks or so ago). Oracle released a patch 4 days after that exploit was rolled into Metasploit. I'm sure they'll tell you that's a coincidence, but it's still nice to see happen completely out-of-band from their normal patch process. Word around the campfire is that Oracle knew of that vuln for months w/out a patch. Then along comes big bad Metasploit and you've got a patch for everyone on Java 1.7. I call that a win.
As for embarassing the vendor and highlighting there sloppyness, well there may be some millage in that. Though you would of thought vendors were a little bit more proactive.
Still it's out there now and in that evolution is a wonderous thing to behold at work, some will learn and some will not.
Also important to note that some websites you may be familiar with could become compromised and attack-code added within iFrames is very common, so it's best to just not use IE at all until a patch is released.
