To simulate a real-world situation, they used test systems running slightly-outdated Windows XP SP3, Internet Explorer 7, and Adobe Acrobat Reader 8. Other system elements such as Flash and Java were also left somewhat unpatched. Each product was installed on a separate physical test system and rolled back to a default clean state before each test. A "control" system was left unprotected to aid in analysis. For each threat, the researchers directed all of the systems to the same URL at the same time and observed their behavior.
Posted by rlssec