"Although the initial attack occurred when company employees visited a malicious web site, Alperovitch said researchers are still trying to determine if this occurred via a URL sent to employees via e-mail or instant messaging or some other method, such as Facebook or other social networking sites."
It still needed an employee to make the usual "install the dancing pigs"-style gaff while using IE6.
Also: Employees using IE6, inside Google, in 2010. Why weren't they using Chrome?
That'd be brilliant! Send a bug report that your site renders incorrectly in chrome but correctly in IE6. That's an almost guaranteed hit with a known browser!
"Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected."
Good security is multi-layered. Just because they relied on an old trick to get their foot in the door, doesnt mean they have bad security inside or at more sensitive parts.
It still needed an employee to make the usual "install the dancing pigs"-style gaff while using IE6.
Also: Employees using IE6, inside Google, in 2010. Why weren't they using Chrome?