Over at ZDNet, I’ve got a new post on the details behind the recent successful cyber-attack on Google, Adobe, and dozens of other large corporations. After looking at the evidence, I’ve concluded that the risks of using IE6 outweigh the costs of switching:
Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice. Think that judgment is too harsh? Ask the security experts at Google, Adobe, and dozens of other large corporations that are cleaning up the mess from a wave of targeted attacks that allowed source code and confidential data to fall into the hands of well-organized intruders. The entry point? According to Microsoft, it’s IE6.
The good news is that IE7 and IE8 are dramatically more secure, especially when run on Windows Vista or Windows 7 with Protected Mode and Data Execution Prevention.
For full details, go read It’s time to stop using IE6.
Ed Bott 
Mr. Bott,
I just posted a comment at ZDNet but thought I’d drop one in here as well. My comment there had to do with helping on the server/provider side by having the servers at popular sites filter on the user-agent and respond negatively to IE 6.
Here, I see that your blog is WordPress-powered. Have a look at the various plug-ins that are available to assist with this. Here’s a mangled URL, which I expect may get my comment put in the wrong bucket anyway, but oh well.
http [:] // wordpress.org/extend/plugins/search.php?q=IE+6&sort=
I can’t test with IE 6 (yay me!) so perhaps you’ve already done this, and I just can’t tell. If so, disregard.
Colin
Agreed. I’m astonished to see that people/companies are still using that thing. Talk about cost of ownership…
Ed, you seem to miss the point. It wasn’t IE6 who was to blame in case of Google and Adobe security breach. It was IE in general – all versions on all available versions of Windows operating system. Take a look at http://www.microsoft.com/technet/security/advisory/979352.mspx for more details.
Btw, do you seriously believe Adobe or especially Google let users have IE6 installed in corporate domains? I so much doubt that.
Mike, if you read the documents in question you will see that the exploit this has been traced to works only on IE6. The exploit doesn’t work on IE7 or IE8 because it is blocked by Protected Mode and by DEP. Third parties have confirmed that.
And yes, I do believe that there are some systems within the networks of those two companies, possibly in China, that are using default installations of Windows XP, which ships with IE6. Many IT departments don’t upgrade client software as a matter of policy.
It was Microsoft’s decision to bundle IE6 with Windows XP. Because of that decision Microsoft is forced to support IE6 until 2014.
Installing IE7 or IE8 on older hardware brings some laptops or computers to their knees.
It will be a wonderful day when the usage share for IE6 is so low that we don’t have to worry about coding for it! I love netbooks, but that was the one, major drawback as far as I was concerned, since XP shipped with IE6.
Is there any specific reason Microsoft doesn’t have browser upgrades ship to general users with every other update they send? If I.T. groups are SO insistent on using an older version, they can just block those upgrades. My work does that. They filter out updates that conflict with their images or legacy apps. At least this would solve the problem of 15-20% usage share for all the computer illiterate grandmas out there that don’t think twice about it!
Ed, how about a blog responding to all the “It’s Time To Quit Using IE6 and IE7 and IE8” hysteria.
I’m sticking with IE8.
Cory, MS does push out the updates.
http://news.cnet.com/Microsoft-tags-IE-7-high-priority-update/2100-7350_3-6098500.html
If you look at the comments, you can see the regular groups were complaining as usual.
Danged if MS does, and danged if MS doesn’t.
Hmm… I had a netbook all last year with XP and since I use Firefox, I never manually upgraded to IE7 or 8. Many auto updates, but no IE upgrade ever came in.
People can use some common sense by simply moving to a more secure browser like Mozilla Firefox, or Google Chrome. There is no excuse for companies or anyone for that matter to still be using IE6 in any form.
Well I know that Youtube.com will be getting rid of IE6 support soon.
IE6 may be doomed but is Firefox also doomed as well?
Read this Infoworld.com “Why Firefox is doomed” article:
http://www.infoworld.com/d/windows/why-firefox-doomed-143
If you are are Firefox user AND you disagree or dispute what is written there, go there and let the author know otherwise about Firefox. I also like to hear from Ed Bott of what he thinks about that Infoworld article of Firefox being “doomed.”
Oh Brett, there’s also Apple Safari and Opera web browsers available. You do know that these browsers also exist, right? I also use those web browsers on my machines.
People need to realize that upgrading browsers at larger companies often involves upgrading and testing many other applications that use the browser. This is not a trivial task if you need upgrade many other products at the same time.
That said just about everyone should be on IE7 by now.
EP
I have read the infoworld article which seems to consist of smoke and mirrors, delays in development of browsers can happen at any time and I think that Mozilla wants to make sure they deliver a solid release.
Yes, I am aware of Apple Safari and Opera as alternative web browsers but do not like Safari’s performance on Windows at all. I haven’t used Opera so cannot give you an opinion on it.
EP, Mozilla says they’re releasing Firefox 3.6 tomorrow. I don’t think there’s any question that the competitive landscape has gotten challenging for Mozilla, and the size and popularity of Firefox make development more difficult than in its early days. But Randall Kennedy is just being his usual bomb-throwing self with this article.
Brett, I have used Opera since version 8.5 and it sometimes loads faster than Firefox. I only use it on web sites that aren’t complex. On more sophisticated sites, I use Firefox and the Seamonkey browser suite. Seamonkey is another underrated program I use to browse the web.
Ed, I guess Randall likes to stir the pot about Firefox, so to speak. there’s been a discussion on Randall’s outrageous
Firefox article at this mozillaZine forums thread:
http://forums.mozillazine.org/viewtopic.php?f=7&t=1704965
Back to the original point of dumping IE6, WinXP/Win2003 users should upgrade to at least IE7. I find some sites like YouTube may no longer work correctly with IE6. Win2000 users aren’t that fortunate – they have to either stick with IE6 or scrub IE6 off their W2K systems and just use Firefox or Seamonkey to surf the web.
If people think IE is weak because of a vulnerability in a 4 year old version I’d like to see them run a 2006 version of FF or opera. IE6 was outdated in 2006.
Also Ed to quote you here
“And yes, I do believe that there are some systems within the networks of those two companies, possibly in China, that are using default installations of Windows XP, which ships with IE6. Many IT departments don’t upgrade client software as a matter of policy.”
Pretty safe bet to say thats their policy because they are running pirated copies of ancient versions of XP that will get flagged rather quickly by WGA when updated. Whether they were running ancient versions of windows due to stupidity or piracy, either way they had it coming.
“Why Firefox is HARDLY Doomed” article:
http://gigaom.com/2010/01/20/why-firefox-is-hardly-doomed/
this was in response to that Infoworld article.
I wonder, hector, are those people using non-genuine versions of XP with either SP1 or SP2?