Migration to updated browsers encouraged to be at the top of resolution lists

News by Dan Raywood

The New Year should be a time for IT managers to begin a rollout of new editions of web browsers.

The New Year should be a time for IT managers to begin a rollout of new editions of web browsers.

Following the last Microsoft Patch Tuesday in December, commentators claimed that getting users off Internet Explorer 6 and 7 should be on the top of their New Year's resolutions for 2010.

Wolfgang Kandek, CTO of Qualys, claimed then that users ‘have to be migrated to a more modern browser, with the most viable options being IE8 with its well known patching mechanism or Firefox 3 with its more aggressive patching schedule'.

Commenting further, Kandek said: “The six bulletins in 2009 for Internet Explorer covered a total of 28 vulnerabilities: IE7 had 18 critical vulnerabilities, IE6 had 15, IE8 'only' had ten. However in December's bulletin IE8 actually had three critical vulnerabilities whereas IE6 and 7 only had two.

“This shows that the browser continues to be the most attacked and scrutinised piece of software in the user's repertoire. I still believe that the additional security technologies that Microsoft built into IE8 warrant its deployment, mainly the SmartScreen Filter, which helps to protects against phishing sites.”

Jason Miller, security and data team manager at Shavlik Technologies, claimed that Internet Explorer is relatively easy to roll out to an organisation as the install itself can be pushed out to client systems just like a patch.

However he recommended extensive testing of the IE8 browser in a business environment before installation, as there can be issues with certain web pages that are not compatible with the new browser.

Miller said: “With December's patch, there was a vulnerability that was publicly known that did not affect IE8. The previous cumulative security patch also had a vulnerability that did not affect IE8, but that vulnerability was not publicly known.

“It is a good administrative practice to upgrade older software such as IE6 and 7 to the latest version. But more often these ‘upgrades' still contain code from older versions of the software. Some vulnerabilities that are found in IE6/7 are still applicable to IE8 because it is code that has been reused.”

Data from Qualys showed that 88.3 per cent of its QualysGuard users work with IE6, while just 7.5 per cent use IE7 and 4.1 per cent use IE8.

Kandek said: “Changing the browser is a challenge for IT shops similar to changing the version of Excel or similar – they have to determine whether applications written in house can deal with the new browser.

“Applications from the outside are the contrary, they tend to work better with newer browsers, especially where heavy CSS processing JavaScript speed is concerned. Our new applications use heavily JavaScript/AJAX, etc and it is one of our QA concerns that the application has to work well under IE6.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews