Is a fear of change the biggest challenge when it comes to encouraging upgrading to modern browsers?

Opinion by Dan Raywood

One week ago Microsoft put an end to the biggest story (so far) in 2010 with a patch to a critical update in Internet Explorer.

One week ago Microsoft put an end to the biggest story (so far) in 2010 with a patch to a critical update in Internet Explorer.

Normally this would not make headline news or especially cause further analysis, but the fact that the particular zero-day vulnerability played such a large part in the Google compromise caused the microscope to be placed upon it.

What followed the initial Google attack, which may or may not have been caused by Chinese hackers, then went via Adobe before claims of its involvement were retracted.

One question that stirred my interest regarding the vulnerability was specifically to do with the fact that this was on an out-of-date browser – IE6, and while Microsoft encouraged upgrade to IE8, there are claims that people are still not upgrading. You can probably put this down to a lack of knowledge or understanding about modern threats.

I asked several commentators on their thoughts about the choice to upgrade, and the consensus was that people should do it. Wolfgang Kandek, CTO of Qualys, recommended that users upgrade their IE6 installations as quickly as possible.

He said: “IE6 was conceived and implemented ten years ago, at a time that the internet was in a different phase - there were less security threats and also less interactivity. Modern products like IE8, Chrome and Firefox are better equipped to deal with the JavaScript and CSS needs for modern websites and also have the security features that increase their inherent robustness.

“Unfortunately we see still many of our customers using IE6. We attribute that to the use of approved and working operating system images and to the natural tendency of not changing a working setup. The Google/CN incident is a great opportunity for security professionals in all types of organisations to restart the discussion around the standard browser.”

Likewise Mark Shavlik, CEO at Shavlik, said: “I am of the belief that from a security standpoint you should run the most current software of any kind as it is likely there is more security built into it.

“Not every security fix or change made to fix security problems in current software versions is made public, and there is likely to have been a more secure practice used to create the newer code, as a security focus on all software is a fairly recent aspect of software development.”

The movement led to the development of a website - – which Microsoft believed to be a spoof, but shows some level of compassion towards the browser that can be comparable to other legacy systems and software.

Could it be this level of interest, rather than a simple lack of knowledge, that causes people to stick with IE6 and other similar software? Is this the same reason that people fail to apply patches or upgrade software such as iTunes.

Jim Docherty, EMEA sales director at KACE, said that an audit of applications may surprise some IT managers on whether IE6 is still used within an organisation.

He said: “If IE6 is a crucial part of your business' workflow then work out when you will apply the patch - is testing necessary to ensure that the services still work? Or can you roll out straight away? You will need to check that the patch has been applied consistently across the business. This auditing activity is just as important as rolling out the patch itself.”

Oliver Lavery, manager of vulnerability and exposure research team, for nCircle, said: “IE6 is nearly ten years old and pre-dates the migration of zero-day attack vectors from OS level buffer overflows to port 80 vulnerabilities. IE6 was not designed in an era when the industry really understood the implications of web browser security, and in fact, the many IE vulnerabilities in the early 2000s are really what alerted everyone to the issue.

“IE6 is fundamentally much less secure than IE8 regardless of patching. Yet IE6 still had the largest market share of any version of IE as of December 2009 at 20.99 per cent.”

He claimed that this has created a situation of systemic vulnerability in many enterprises, as software used by employees is fundamentally not very secure.

The fact is that everyone should upgrade, and it seems that the message did get through, with a surge reported in downloads of Firefox. However much like passion for 1990s gaming consoles remain, users failure to change their browsers for fear of losing bookmarks or history or even a sense of familiarity with the existing software may deter them from changing.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events