Microsoft warns customers to upgrade from IE6 and IE7

Microsoft has provided further insight into a vulnerability affecting Internet Explorer 6 which was used in the attacks against Google recently.

In a company blog posting, George Stathakopoulos of Microsoft Security, explained that the software giant is only seeing a "very limited number of targeted attacks against a small subset of corporations." He went to explain that the attacks, using proof of concept code, are only effective against Internet Explorer 6. Based on testing, Microsoft isn't aware of any attacks on Internet Explorer 7 or 8 using the vulnerability.

Stathakopoulos urges customers to upgrade immediately to Internet Explorer 8. "We continue to recommend that customers using IE6 or IE7, upgrade to IE8 as soon as possible" he said. Microsoft confirmed it is monitoring the on-going threats and that despite there only being limited targeted attacks today, this could change at any time.

Google said, in a blog posting on January 12, that in mid-December, they, along with a number of other large companies in the Internet, finance, technology, media and chemical sectors, were targeted in a sophisticated cyber-attack. This attack on their infrastructure originated in China, using Internet Explorer 6, and resulted in the theft of intellectual property. Due to this attack, and the background behind it, Google is now taking a second look at their operations in China, particularly Google.cn, where they currently offer censored search results as part of an agreement with China's government. Microsoft admitted last week that Internet Explorer 6 was one of the vectors used in the targeted and sophisticated attacks.

Microsoft originally released Internet Explorer 8 in March 2009. If you're interested in the new features of Internet Explorer 8 please check out our review.

Poll

Has your workplace upgraded to IE8?

Report a problem with article
Previous Story

Another attack executed on law firm suing China

Next Story

Google helps people find Haiti survivors with person finder

49 Comments

Commenting is disabled on this article.

I used to understand the defense of businesses with web apps that would have compatibility issues. I used to... when the argument was being made two years ago.

We've been hearing this excuse since Vista RTMed, if not before. So I don't understand any more. It's no longer about the effort. This is a matter of failed priorities. We're at a point where this is a matter of security and the protection of confidential information. No, no, wait--we've BEEN at that point. For a while now.

This is a mixture of laziness and epic failure to sell the importance of such an upgrade to higher ups.

HalcyonX12 said,
IE8 is still affected, so how will this solve the problem?

It is affected, but unless you have DEP turned off, you'll be fine. The code will not run.

One problem. What about those using Windows 2000 who can't upgrade to IE7 (let alone IE8)? LOL! Guess they'll have to use Firefox or Safari.

But yes, it's absolutely ridiculous that people are still using a browser that is ten years old!

It's funny, all the Macs at college are running the latest Safari version, all the PCs are still stuck on Internet Explorer 6.

.Neo said,
It's funny, all the Macs at college are running the latest Safari version, all the PCs are still stuck on Internet Explorer 6.


I'd file a complaint. There is no reason why student computers should still be running IE6.

still1 said,
why not IE8?

I also found that funny. IE 6-8 are all affected by this bug. IE 7-8 on Vista often not in practice though, thanks to the DEP protection and sandboxing. But if ran on XP, these are also vulnerable, or if DEP is disabled.

So... All in all, regarding this bug, IE 7 is no worse off than IE 8, AFAIK.

Microsoft should include the same update mechanism which FireFox uses, everytime the browser starts, it checks for new version and if any plugins have vulnerabilities and should be disabled.

kInG aLeXo said,
Microsoft should include the same update mechanism which FireFox uses, everytime the browser starts, it checks for new version and if any plugins have vulnerabilities and should be disabled.
That only works with a home users or a very bad business.. Also speaking as someone who deals with firefox I find that to be very annoying.

Businesses aren't interested in change, IE6 has been around since XP, and they won't update it beyond security patches till they are forced to change OS's..

IMHO Updating IE6 should be considered a Critical Update.. Which is as much as MS can do to try and get business to do it.. as much as I hate IE, I don't think it's right to force anyone to update if they don't want too.

TCLN Ryster said,
Your upgrade to IE8 link goes to the Windows XP SP3 service pack, not the IE8 download page :)

Use the report button, that's what it's there for...

King Mustard said,
I thought the attack worked on IE 6, 7 and 8?

If I remember correctly it only does on IE7 if you turn DEP mode off and other such protections. IE8 is even hardwer to crack specially under Vista and even more under Win7 with the added security that has over the others.

So, yes, the flaws are in IE7 and IE8, BUT, the changes to the security MS has added since IE6, if turned on and used, block this.

Of course users could just go ahead and turn them off and or just click yes to everything, in which case this is all moot.

Come on Microsoft! You force us all to upgrade to the latest version of Windows Live Messenger for security reasons, do the same with Internet Explorer.

Chris4 said,
Come on Microsoft! You force us all to upgrade to the latest version of Windows Live Messenger for security reasons, do the same with Internet Explorer.

Since Windows Live Messenger has never been bundled with Windows, they can do that.

DonC said,

Since Windows Live Messenger has never been bundled with Windows, they can do that.
Also because Messenger uses their servers..

IE is program that can run without any input from MS.. And there is no way they are gonna force business to upgrade, not until their support agreement for Windows XP runs out and then you will never see another update for IE6 again..

As difficult as it is for businesses to upgrade from IE6 and IE7 to IE8, it really is something that needs to be done. IE6 should have reached the end of its life a long time ago now.

While I agree, I still think a lot of these problems would be nonexistent if MS didn't maintain certain types of software for years and years. Supporting some types of software, especially browsers, for backwards compatibility should only go so far.

nodii said,
Businesses are always slower at upgrading their SOE software. Common fact unfortunately.

Three years isn't slow, it is a statement that this has simply not been worked on at all.

The technology that would have mitigated these attacks has been out since October 2006. You can get a college degree in three years, so forgive me if I don't see this as a product of "oh, it is hard to update our software" so much as gross negligence and laziness on the part of some IT departments.

flocker said,
MS should make computers running <IE8 popup annoying stuff as they did with WGA...
Every website I code has such a pop-up :)

flocker said,
MS should make computers running <IE8 popup annoying stuff as they did with WGA...

I doubt that would make much of an impact looking at how Windows XP and Vista already are the perfect example of nagware.

TCLN Ryster said,
Every website I code has such a pop-up :)
Every time I come across a website such as that, I navigate away from it. It also loses any recommendations it may have gained from me.

It's not the webmasters place to dictate what browser their audience should use. It's just arrogant.

waruikoohii said,
It's not the webmasters place to dictate what browser their audience should use. It's just arrogant.

Agreed. It isn't impossible to support IE6, ditching support for it it entirely is just lazy.
Of course this depends on the website you are building.