Why not Yellow?
Last Updated: 2010-01-17 00:37:02 UTC
by Mark Hofman (Version: 1)
A few people have written in to ask us why we have not gone to Infocon Yellow regarding the IE 0 day.
Changing the Infocon is a decision not taken lightly as we do know that people look at ISC and based on the infocon, react. Our definitions of when to change are also different to many other organisations and this causes some confusion in some readers. For example McAfee at the moment is at Critical, Symantec and Trend Micro are at Elevated, we are at Green for business as usual.
A number of reasons went into the decision not to raise the Infocon level. Currently there is no real evidence that "aurora" is wide spread, we have certainly not been inundated with reports. An exploit is available in Metasploit, but as far as we are aware at this moment there are no automated tools taking advantage of the exploit and widely attacking the internet. The exploit currently affects a version of the product that is two major revisions behind the current release, and should really not be widely used anymore. Easy work arounds are available by utilising other browsers or products, signatures are available from the AV vendors and the patch should be available in the next 3-4 weeks. From an Internet perspective the issue is currently very very low impact.
That said there are a number of things that have happened that we should all be aware of. The Google hack, malicious PDF files, there is an increase in FakeAV, and there will be scams relating to Haiti. Likewise there is a big chance that the "aurora" module will make an appearance in the various attack packs.
For now we will be monitoring the situations and keep you posted as usual.