Time to move on from IE6 exploits?

"Guest blogger Sean Richmond from Sophos Australia (SophOz), wonders why organizations are still using Internet Explorer 6. One of my Twitter followers @mcbazza said a similar thing “I’m an IT professional, and not using WinXP and IE6 was my idea”. Sean, the mic is yours…"

Sean Richmond - Sophos Australia
In a post on Google’s Enterprise Blog, Rajen Sheth writes “Many other companies have already stopped supporting older browsers like Internet Explorer 6.0 as well as browsers that are not supported by their own manufacturers. We’re also going to begin phasing out our support, starting with Google Docs and Google Sites.”

YAY! (disclaimer – I hate not having tabbed browsing and RSS feed support!)

Apple haven’t supported IE6 in their MobileMe site for ages (if at all…) since it can’t render the site in the way that it is intended to work, and now Google are seeing the same thing.

Since the kernel bug in Windows NTVDM – a subsystem designed to allow use of DOS (That’s Disk Operating System – not Denial of Service for you young-uns out there) – raises the issue of how long do you keep a kludge alive, I wonder if this fits the same comments. IE6 is what, 9 years old? Are you still using phones designed in 2000 for your staff?

Since IE6 was designed in the bad old days of Microsoft, before secure coding practices etc. it is far more likely to be exploitable, and there’s only so much that can be done with patches – and since they have released 2 new versions why would you keep it?

Standards compliance? IE6 fails just about every standards test in the world. Try it yourself. Speed? It has the slowest javascript rendering engine I’ve had the displeasure to use. Because it comes with Windows XP? So does Windows Update – use it! Advances in website security and usability will not be possible without browsers that know about and adhere to standards – HTML5 is just around the corner too – you can bet that IE6 won’t be able to understand that! Yet according to Net Applications market share data IE6 still accounts for 20% of browser queries to search engines. Maybe a prod from Google will help remove this aging non-conformist hippy of a browser from the cool new web 2.1 world of social networks, web applications and cloud services?

Internet Explorer 6 has proven to be incredibly open to exploitation, especially remotely. So should more web sites drop support for older browsers in the interest of fostering security? Perhaps. It would certainly make life easier for their web development teams and allow use of web 2.0 features with far more reliability.

According to Secunia’s Vulnerability summary report IE6 is host to a whopping 184 publicly disclosed possible exploits. IE7 106, and IE8 has 30. With all patches applied there are still 23 unresolved issues. If you use security focus the number of issues is closer to 480. As our Security Threat Report:2010 shows most malware is being delivered via the web, so why make it easy for the bad guys?

The recent advice that switching from IE might be a resolution for an unpatched exploit got a lot of press, but is infeasible in most large organisations due to lack of central management capabilities in other browsers. But moving away from IE6 is certainly manageable – it’s a software upgrade. Admittedly there are issues of compatibility with applications that use IE as the renderer, but this may well indicate that it’s time to assess those applications as they may be vulnerable to IE6 exploits too. Microsoft’s Internet Explorer Compatibility pages may be of use, and the compatibility view can be used to allow individual sites to render as they would in IE6.

You might consider Application control to help ensure you’re not still running ancient bug ridden software well past the manufacturers use by date – or at least some form of compliance tools to ensure that whatever patches are available are applied, but why not step up to the new decade with a new shiny more secure browser experience?

Note: Michael Argast has posted a helpful guide on blocking IE6 using Sophos Endpoint Security and Control if you want to ensure all your users are using up to date browsers.