One week ago Microsoft put an end to the biggest story (so far) in 2010 with a patch to a critical update in Internet Explorer.
Normally this would not make headline news or especially cause further analysis, but the fact that the particular zero-day vulnerability played such a large part in the Google compromise caused the microscope to be placed upon it.
One question that stirred my interest regarding the vulnerability was specifically to do with the fact that this was on an out-of-date browser – IE6, and while Microsoft encouraged upgrade to IE8, there are claims that people are still not upgrading. You can probably put this down to a lack of knowledge or understanding about modern threats.
I asked several commentators on their thoughts about the choice to upgrade, and the consensus was that people should do it. Wolfgang Kandek, CTO of Qualys, recommended that users upgrade their IE6 installations as quickly as possible.
“Unfortunately we see still many of our customers using IE6. We attribute that to the use of approved and working operating system images and to the natural tendency of not changing a working setup. The Google/CN incident is a great opportunity for security professionals in all types of organisations to restart the discussion around the standard browser.”
Likewise Mark Shavlik, CEO at Shavlik, said: “I am of the belief that from a security standpoint you should run the most current software of any kind as it is likely there is more security built into it.
“Not every security fix or change made to fix security problems in current software versions is made public, and there is likely to have been a more secure practice used to create the newer code, as a security focus on all software is a fairly recent aspect of software development.”
The movement led to the development of a website - http://www.saveie6.com/ – which Microsoft believed to be a spoof, but shows some level of compassion towards the browser that can be comparable to other legacy systems and software.
Could it be this level of interest, rather than a simple lack of knowledge, that causes people to stick with IE6 and other similar software? Is this the same reason that people fail to apply patches or upgrade software such as iTunes.
Jim Docherty, EMEA sales director at KACE, said that an audit of applications may surprise some IT managers on whether IE6 is still used within an organisation.
He said: “If IE6 is a crucial part of your business' workflow then work out when you will apply the patch - is testing necessary to ensure that the services still work? Or can you roll out straight away? You will need to check that the patch has been applied consistently across the business. This auditing activity is just as important as rolling out the patch itself.”
Oliver Lavery, manager of vulnerability and exposure research team, for nCircle, said: “IE6 is nearly ten years old and pre-dates the migration of zero-day attack vectors from OS level buffer overflows to port 80 vulnerabilities. IE6 was not designed in an era when the industry really understood the implications of web browser security, and in fact, the many IE vulnerabilities in the early 2000s are really what alerted everyone to the issue.
“IE6 is fundamentally much less secure than IE8 regardless of patching. Yet IE6 still had the largest market share of any version of IE as of December 2009 at 20.99 per cent.”
He claimed that this has created a situation of systemic vulnerability in many enterprises, as software used by employees is fundamentally not very secure.
The fact is that everyone should upgrade, and it seems that the message did get through, with a surge reported in downloads of Firefox. However much like passion for 1990s gaming consoles remain, users failure to change their browsers for fear of losing bookmarks or history or even a sense of familiarity with the existing software may deter them from changing.