HEAT Security Blog

Three Steps to Dump IE 6 … NOW

In my post some time ago about the newly released Windows 7, I made mention of a Gartner report entitled “Planning for the Security Features of Windows 7.” I want to revisit this report in a little greater detail – in particular, the statement “Use the migration to Windows 7 as the catalyst to get rid of IE6. Ideally, don’t wait on Windows 7 — do this now.” [emphasis added]

Internet Explorer (IE) 6 has been around since mid-2001 – about the same time as WinXP. Since that time, there have been three service packs (SPs), the latest in mid-2008. It has been criticized for not adhering to modern web standards – and for security holes too numerous to count. In fact, in mid-2006, PC World put it at no. 8 on the list of the 25 Worst Tech Products of All Time – and a campaign was started in the UK to Bring Down IE6. And, as we’ve discussed before, end-user website browsing is now the “Achilles Heel” of most organizations – because the bad guys are intensely focused on attacking Web applications so they can infect end-user machines. Bottom line: to limit a substantial security hole in your organization, you want to eliminate IE 6.

One might think something so unloved would not still be used in late-2009 when so many newer / better options exist. Interestingly, that’s not the case. Although the data varies tremendously (what was it Disraeli said about statistics?), here are some that I found which might shed some light on the matter. First are these figures from Browser News – there’s a good discussion on how these were collected and why “source 1” might be so high (and not merely mistaken) if you’re so inclined.

From W3Counter we get these values, collected in October 2009 based on “the last 15,000 page views to [the] 29,458 websites” tracked by them, which puts IE 6 at about 12.8% overall. Meanwhile, the data from W3Schools shows a gradual downward trend over the past year – ending up at about 10.6% in October 2009 (although they put Firefox, presumably all versions, at 10 points above all IE, which sounds a bit off to me). And finally, a little closer to home, the data from the Lumension website for the past month shows something similar to many of the broader studies – that is, that IE 6 usage is somewhere in the mid-teens overall.

[I recognize that some folks might think these data reflect, for the most part, consumer behavior; I think, however, that the data collected from the Lumension website, for instance, point to a sizable corporate use of IE 6. Those interested in delving deeper into this question might check here.]

So the data vary, but apparently there are plenty of IE 6 users still out there. [Full disclosure: as of this writing, it is in fact my (seldom used) backup browser – for which I’ll be trudging to the woodshed shortly.] Regardless of what the real figure is, the question has to be: how do you manage your folks off of it? I suggest you consider the following steps …

  1. Assess what people are using at the moment. There are several methods and tools out there to determine what folks are using, including various scanners (my favorite is this one, natch).
  2. Plan how you’re going to move folks up and then communicate with them to let them know that it’s time to upgrade. As Gartner notes, this migration should not be underestimated, as modern, standards-compliant browsers will “break” some sites – so testing is in order, especially if you include something new in your standard image. And don’t forget there are other browsers out there which, depending on what you do, might actually be better than even the latest version of Internet Explorer.
  3. Force the issue via your Group Policy Objects (GPOs) or other configuration tool (perhaps something that would force an upgrade), or even use your Network Access Control (NAC) to limit what folks are allowed to use when on your network.

[One contrarian position I’ve heard is that it’s more work to get rid of IE 6 than to manage the infections that might occur with continued use, especially with Microsoft still providing IE 6 patches. I don’t have the figures at my fingertips, but the all-in costs for an infection can reach into the thousands of dollars; factor in lost data, bandwidth impacts and so forth … and, well, of course you’ll have to do your own calculations, but I suspect that in the end a well planned and executed migration is cheaper.]

If you’re like most folks I talk with, the browser type / version used by employees in an organization is not something much contemplated (except for the “religious wars” in certain quarters). However, if you are concerned about the vulnerability of your network via the internet, I suggest you take a second look.

Now please excuse me whilst I upgrade my (backup) browser – as soon as I get back from the woodshed.

[Sheesh … I hardly get this post put to bed when my colleague Paul Henry alerts us to a new IE exploit; this one, Microsoft Security Advisory 977981, impacts IE 6 and IE 7 but not IE 8. As Brian Krebs writes in this post on his WaPo Security Fix blog: Now might be an excellent time for diehard IE users to either upgrade to IE8, or to try out another browser, such as Firefox or Opera. Firefox, combined with either the Noscript or Request Policy add-ons, goes a long way toward helping users insulate themselves from these types of malicious attacks.]

2 thoughts on “Three Steps to Dump IE 6 … NOW

Comments are closed.