Not so new, but here [pdf] is an interesting bit of research I only saw recently on Zero-Day attacks by some Symantec staff.

Zero-day attacks last on average 312 days, and up to 30 months, and they typically a ffect few hosts.... After the disclosure of zero-day vulnerabilities, the volume of attacks exploiting them increases by up to 5 orders of magnitude.

Microsoft have recently released an advisory "Microsoft Security Advisory (2286198)Vulnerability in Windows Shell Could Allow Remote Code Execution" for a new 0-day that is currently being exploited.

While it can be exploited via network or webdav shares, it is removable drives that are the most likely vector for exploitation. A big part of that is our old friend, autorun, that has been the cause of problems before.

If you haven't yet disabled autorun in your organization, I strongly suggest you look into it. Microsoft have some details on how to accomplish this here:

• How to disable the Autorun functionality in Windows
• How to correct "disable Autorun registry key" enforcement in Windows

Well, it turns out that Windows will override this setting if you insert a USB drive that your computer has already seen. I received an email from Susan Bradley that links to an article on Nick Brown's blog, "Memory sitck worms." Nick mentions the MountPoints2 registry key, which keeps track of all USB drives your computer has ever seen. I'll admit, I didn't know this existed! I'm glad Nick wrote about it, though.

Nick also includes a little hack that effectively disables all files named "autorun.inf." Interesting, but something in me prefers to make Windows just plain forget about all the drives it's seen. So now I will amend my instructions. In addition to what I wrote earlier, you should also write a small script, and execute it through group policy, that deletes the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

I hadn't seen that registry key mentioned before, but it looks well worth investigating...

iSec has published a brief report [pdf] into the widely-reported "Aurora" attacks on Google (and others) that allegedly orginated from the Chinese Government. The report provides an interesting insight into a recent sophisticated attack that I suspect few organizations would have been able to repel, and is well worth reading.

An important point from the end of the report is that the:
"...most interesting aspect of this incident is that a number of small to medium sized companies now join the ranks of major defense contractors, utilities and major software vendors as potential victims of extremely advanced attackers. This is concerning for many reasons, not the least of which is that even most Fortune-500 companies will not be able to assemble security teams with the diversity of skills necessary to respond to this type of incident."

No Microsoft haven't released a sucessor to Internet Explorer 8 (yet!)

The Australian is reporting that the French and German governments have warned people against using Internet Explorer due to the (as yet unpatched) security vulnerabilites that were allegedly exploited by the Chinese Government in cyberattacks against Google.

While I applaud any government effort to help ensure their citizens are provided with information on how to stay safe online, how to detect and avoid phishing attacks etc, I'm not sure I can agree with a Government picking out (or picking on) a particular piece of software.

Microsoft certainly has had a number of long running legal battles with the European Union, the most recent over their alleged browser monopoly, that was dropped after Microsoft agreed to include up to 12 other browser choice in European versions of Windows. Has this recent case and previous legal entanglements coloured the judgement of certain European government officials?

Microsoft are always the bad guys, the evil empire, the 800-pound gorilla, the easy target. It's something that comes with the territory of being so dominant in an industry. Windows and Internet Explorer have a less than stellar security record, but one that has been improving greatly since the start of their 'Trustworthy Computing' major security inititives back in 2002.

Are they perfect? No. But no software vendor is (or is even close!), as every major vendor regularly releases security patches. Will these same governments recommend users stop using Acrobat next time Adobe faces a 0-day vulnerability? Or stop using Safari? Or Firefox?

The high profile nature of the Google-China standoff (and I don't know what's worse, Google withdraws and the chinese people are punished, or China backs down to Google...) has thrust browsers and vulnerabilities back into the limelight for 5 minutes and I think some politicians want to have their soundbyte heard. I think their time and effort would be better used in continuing education for their end-users and letting them decide for themselves what software they want to use once they understand all of the risks involved.

The danger in pointing the finger at Microsoft and Internet Explorer is that it doesn't address the fact that these sort of attacks are out there and all software has flaws. It may give those people who do swap to Firefox or Safari a false sense of security 'because they're not using IE' (in much the same way I am critical of Apple's security attacks on Microsoft that paint OSX/Safari as being free of security problems). It seems to me to be a pretty shortsighted approach (but we are dealing with politicians right?).

Or maybe it's an EU thing and they want everyone using Opera instead?

*EDIT*
While there seems to have been plenty of hysterical articles about dropping IE and changing over to (insert favourite browser) NOW!, this one is much more balanced and sensible.