Editorial

Should you stop using Internet Explorer?

Microsoft has had a torrid time over the past week as governments and customers question the security of the popular web browser, Internet Explorer.

The issues began when Google went public that they were targeted in a sophisticated cyber-attack. The breach, involving Internet Explorer 6, resulted in the theft of intellectual property. Due to the attack, and the background behind it, Google announced it will no longer be providing censored results for its Chinese Google search engine. Currently Google offers censored search results as part of an agreement with the Chinese government.

The news created waves across the world and last week Microsoft admitted that an un-patched Internet Explorer 6 vulnerability was one of the vectors used in the targeted attacks against Google. To many the news wasn’t surprising. Internet Explorer 6, released in August 2001, is over eight years old. It has been subject to a number of high profile vulnerabilities over the years. The alternatives that exist in the marketplace today are not only much more improved in terms of features and standards support, but crucially, offer a greater safety net for online browsing. If you’re still using Internet Explorer 6 then quite frankly, you’re mad.

Ed Bott wrote, shortly after the admission by Microsoft, that any IT pro allowing IE6 use in a corporate setting is “guilty of malpractice” and I couldn’t agree more. However, unfortunately in a corporate setting it’s not always as easy as hitting an upgrade button. Most corporate infrastructure is based on a global directory, email and intranet websites as the core ways of communication between employees. Updating and maintaining internal only (intranet) websites is always a challenge for corporations as many will have been left untouched for years with code specific to aged Internet Explorer versions. Websites is only the beginning; there are also custom applications and systems that utilize Internet Explorer that could be incompatible with Microsoft’s latest versions.

This week Microsoft began urging businesses and consumers to upgrade to Internet Explorer 8, explaining that the security benefits are far greater than that of Internet Explorer 6. However, for corporations and web designers there’s a continued reminder that for many years Microsoft ignored emerging and defined web standards in Internet Explorer, especially in version 6. Developers originally griped about the lack of standards support for Cascading Style Sheets (CSS) after the introduction of Internet Explorer 6 in 2001. At the time the software giant dominated the browser marketplace and many would argue its actions slowed down web development. Flash forward to 2010 and it’s a whole different ball game. Microsoft’s market share is slowly ebbing away thanks to competitive and promising offerings from both Mozilla and Google. Microsoft improved its web standards support in Internet Explorer 7 and 8 and now it plans to extend that with 9, due later this year. But is it too little too late?

The question of whether to stop using Internet Explorer is one that many businesses and consumers are likely asking this week. Both the French and German governments warned their populations to cease using Internet Explorer due to the un-patched flaw. Currently the flaw exists in Internet Explorer versions 6, 7 and 8 but exploit code is only available for Internet Explorer 6. The reason IE 7 and 8 are both unaffected for now is due to the increased security of the software. Internet Explorer 7 introduced a phishing filter, protected mode to run the browser in a sandbox at low level security rights (vista only) and improved management of ActiveX controls. Microsoft improved security in IE8 by running the browser frame and tabs in separate processes and per-site ActiveX controls. Both IE 7 and 8 also include support for Data Execution Prevention (DEP) that prevents buffer overflow attacks.

So do these attacks mean you should stop using Internet Explorer? Simply put, no. Although it’s true that a vulnerability exists, Microsoft is currently working on a patch to resolve this as soon as possible. If you're still running Internet Explorer 6 then it's definitely time to upgrade. Neowin spoke to Cliff Evans, head of security and privacy for Microsoft in the UK yesterday. Evans urged consumers and businesses to “look at this vulnerability in a broader context and think about what the risk is.” He argued that although the vulnerability exists, it’s highly unlikely that the average business or consumer would be targeted by the type of attack Google experienced. Evans insisted that “normal organisations have little to fear” over the recent attacks and that Microsoft recommends all businesses and consumers upgrade to Internet Explorer 8, especially if they are currently using 6. I questioned Evans over corporations who may be stuck on Internet Explorer 6 for compatibility reasons but he urged them to look at their upgrade plans again. According to data from Net Applications (December 09), as a percentage of Internet Explorer use, IE6 maintains 36.57% and IE8 36.27%. Internet Explorer 7 lags behind with 27.11%. With Internet Explorer 6 still the most popular of all Internet Explorer variants, Microsoft is going to have a tough time convincing people to upgrade. Evans would not commit to a release date for the fix but said it was more likely that it would be distributed as an out of band patch shortly or as part of Microsoft’s monthly “patch Tuesday” which is due on February 9.

Report a problem with article
Previous Story

Neowin forums return

Next Story

TechSpot: G.Skill Falcon II 128GB SSD Review

81 Comments

Commenting is disabled on this article.

heh Opera is for me as windows is to workgroups i haven't used IE8 in win7 i did use maxthon for a bit then decided to give Opera a shot and well it works great it's fast stable and it renders pages fine

It's not a "bad" browser, just obsolete. We had to wait this long just for standards support? Give me a break. However, I do commend MS for their swift reactions to security concerns as of late.

The most dangerous stuff is when you didn't do updates =='...it will be a real problem for anyone who used a pirated stuff LoL...but some still able to update actually with some tweakings...

The first thing people should understand is that for any browser, most vulnerabilities require a person's computer to be specifically targeted for an attack. That in mind, the average user doesn't have to worry; its typically large organizations like corporations or government institutions that have reason for concern.

Security companies like to make people paranoid, though.

Ive used IE since the first release and hate change but even Ive downloaded Firefox in the last couple of years. I need more options in IE, I need to be able to move toolbars like I could before IE7 and most of all I need MS to listen when we ask for things. Since the demise of add ons like IE7Pro and IEPlus Ive just got nothing.

A very good article. Microsoft's advice should come as no surprise to businesses. As the article has stated, IE6 is over 8 years old, and with this amount of time businesses should have put into place upgrade plans. After all, IE7 has been out more than three years, and IE8 almost a year. I can appreciate that it can be very hard to upgrade browsers across a business, but the plans for doing this should ideally have been worked out and implemented several years ago. I don't know how a business can expect to be secure, whilst using a very outdated browser.

I find it interesting that no news posts exist about critical vulnerabilities in Firefox 1 but someone abusing a 2 version old version of Internet Explorer gets 2 posts.

No, because SharePoint and all the business apps don't play well with FF or Chrome. We'd be having this same conversation if Mac owned the OS market and there were security issues with Safari.

Interesting revisionist history in this post.

Internet Explorer was the FIRST browser to support CSS. IE 6 had leading CSS support when it was released, easily besting Netscape.

This article is written as if Firefox existed when IE 6 came out, which is absurd. Nobody had better CSS support (and CSS2 was greatly in flux and not yet close to stabilizing), so it's really weird to retroactively fault IE 6 for not supporting [b]future[/b] standards better.

The only reasonable gripe against IE is that it wasn't updated for so long between 6 and 7. MS gets some blame for this, but not all of it. The government smacked MS around pretty hard over IE, making it difficult to invest in. And there were no viable competitors. Without competition in [i]any[/i] market, development stagnates.

Indeed, I agree. As you have said, I think the only reasonable argument is that Microsoft took over five years to update IE6, by which time CSS had changed considerably, but of course it wasn't just Microsoft who was responsible for this problem.

I'd certainly upgrade anything other than IE8 - but in saying that I don't tend to use IE much at all anymore as I feel there are far better browsers out there in general. Why stick with just IE?

What a helpful bunch of comments we have here. My company still use Windows 2000 Terminal Services, the cost of upgrade is horrendous. So for the time being I'm stuck with IE6 and all the vulnerabilities. Windows 2008 (for Terminal Services) is a total mess, and there's little point going to Window 2003.

No doubt that Microsoft will wash it's hands of those using old FAULTY software, and tell people they must upgrade to the new FAULTY software. The fact is Microsoft built monsters, and their only answer is to continually patch their FAULTY software, IE6, IE7, IE8 and no doubt IE9.

To hell with the smart a$$es commenting here, condemning the 36% of people who are using old browser or O/S. The fact is Microsoft's software sucks, as does their attitude to their customers and all the companies they destroyed over the years. Just get on and fix the bugs in this horrendous spaghetti code. If needs be charge support for those running older software.

The problem isn't that people don't want to or just ignore advice about IE but software support at the Enterprise level isn't as easy to upgrade as at the consumer level. Many enterprise applications currently in use are written to be compatible with IE6 architecture and financially it does not make sense for corporations to pay for new licenses to upgrade their software just for IE......and this is a problem because it leaves them vulnerable to such attacks. Unfortunately this is how it will stay for awhile and personally I cannot blame them. Upgrading their software can likely cost upwards of millions of dollars.

It's an old version that Microsoft already said people should have upgraded. You can't blame Microsoft nor Internet Explorer for people's stupidity. That's like blaming the company that a person was hacked because he used Windows 3.1

Tell ya what one of the bests posts I have read yet on this whole debacle. Unlike the Playground Child Joe Wilcox from another news reporting site.. Tom actually went in depth with this. Great journalism. Myself on the other hand barely use IE anymore but from time to time but it is still a great browser to be honest. Good work!

right now MS are playing catch-up in the browser arena. I doubt they'll be able to come at par with FX or chrome in the next 1-2 years since they're yet to implement what FX and chrome already offer. For them to regain browser share, they'll have to not only cover up lost ground but also deliver features, functionality and speed beyond what is currently offered by the rival browsers. Let's see how IE9 fares in this aspect.

I think it's safe to say that using any old/outdated version of any web browser poses security risks - whether it's Internet Explorer, Firefox, Safari, Chrome, Opera, etc. Am sure if Firefox (or others) was the popular web browser back in the early 2000s, and people still using old versions of it today, we would've seen Firefox getting the attacks.

As a web developer I am no fan on the Trident engine and would love for it to disappear, but since that is not the case just let IE6 DIE.. It's almost a decade old. The Security in 7 and 8 is no worse than FF, or any other browser ( Stop saying 'But people can turn off DEP and etc.. People can click yes to install a virus, that doesn't mean the system is at fault, it means the USER is )

After all the lawsuits, warnings, and what not, Microsoft made it almost idiot proof to keep your PC up-to-date and secure. But alas, people still cling to antiquated technology for one reason or another. This is the year 2010; you'd think businesses would have learned to plan ahead and work around IE 6 and other restraints. It's not only unprofessional and embarrassing, but downright dangerous.

This is the result of a web browser with poor standards compliance becoming the leader of the market: people stick to it, because some stuff just doesnt work if you dont use it.

However I still dont think that justifies not updating to ie8.

Raa said,
Uhh, no. You should be using IE8 as it totally rocks.

Fail. IE8 is nothing but a browser. No extensibility, no nice features outside of Protected Mode, which doesn't even matter as half the world seems to be idiotic enough to shut off UAC. No, IE8 does not rock. Oooh it's somewhat faster. Whooptee doo.

What it really shows is the stupidity of the people who run our countries who have no idea what they are talking about. Bunch of idiots they are.

I could put money on Microsoft losing Market share over this issue, however alot of businesses use a closed internal network, ie6 "works" for them however IF the machine has access to the net then security messures beyond a browser should be taken, not that the browser doesn't matter, admins 'should' update it or jump off the ie ship completly.

Nicholas-c said,
I could put money on Microsoft losing Market share over this issue, however alot of businesses use a closed internal network, ie6 "works" for them however IF the machine has access to the net then security messures beyond a browser should be taken, not that the browser doesn't matter, admins 'should' update it or jump off the ie ship completly.

In the end some bad press is good for us because it forces a company to work more and make a product better. In the past if MS has been hit with some major negative PR they redid code and made stuff better.

Case in point, XP SP2, IIS (got a total rewrite with v6) SQL, etc etc.

Even IE, no one can say that IE7 and 8 aren't a major step up security wise over IE6.

GP007 said,

In the end some bad press is good for us because it forces a company to work more and make a product better. In the past if MS has been hit with some major negative PR they redid code and made stuff better.

Case in point, XP SP2, IIS (got a total rewrite with v6) SQL, etc etc.

Even IE, no one can say that IE7 and 8 aren't a major step up security wise over IE6.


Bad press is good? Like the Bad Vista FUD that caused people to stick to less secure Windows XP and prolonged IE6 life? Very good! Do you also think that being punched in the face is good because it makes you "stronger"?

like i said it before and now i say it again... i have no sympathy for those people who is way behind the technology and still using IE6 and their security is way too open for attack. as a WEB PROGRAMMER, i hate those people very much... ****ing switch to better browser already...

perochan said,
like i said it before and now i say it again... i have no sympathy for those people who is way behind the technology and still using IE6 and their security is way too open for attack. as a WEB PROGRAMMER, i hate those people very much... ****ing switch to better browser already...

Unfortunately ie6 is still used a lot in larger companies :-(
Luckly I was able to at least install firefox/chrome and use that for browsing the web, would love to upgrade IE but that would break a load of stuff.

I stopped using it many years ago. Only occasionally I use it, because certain websites work better in IE.

I stopped using IE since FireFox 1.5 came out, only in those occasions when site do not work well unless you use IE.
and since chrome came out, i also stopped using firefox, chrome is SO FAST compared to all the others.....

Older, legacy web apps that aren't compatible with IE7 and IE8 are the reason that most Small-Medium businesses and the Enterprise stick with 6.
But definately, there should be a move away from IE6 if it's the cause of many vulnerabilities. If it's that much of an issue, use FireFox or Opera if the legacy apps support it and use IE8 for the routine browsing.

badblood said,
Older, legacy web apps that aren't compatible with IE7 and IE8 are the reason that most Small-Medium businesses and the Enterprise stick with 6.
But definately, there should be a move away from IE6 if it's the cause of many vulnerabilities. If it's that much of an issue, use FireFox or Opera if the legacy apps support it and use IE8 for the routine browsing.

That makes so sense. You are saying FF/Opera would support a legacy app which IE6 did while IE8 wont? What they could do is rather use IE6 for internal apps and FF(or any other modern browser) for internet facing websites.

Remote Sojourner said,

That makes so sense. You are saying FF/Opera would support a legacy app which IE6 did while IE8 wont? What they could do is rather use IE6 for internal apps and FF(or any other modern browser) for internet facing websites.

Unfortuntely the in the corporate world is not that simple to distinguish intranet from internet and force users to one browser or another for a particular task. I work in a large enterprise, and am forced to use FireFox for some intranet apps, IE6 for some Internet Partner Apps, and a webKit browser to view other internet/intranet hybrid apps from other vendors. I would appreciate just one browser, but unfortunately all of the 'Tech Gurus' throughout the years have built their products to support one bastardized standards implementation after another depending on their alliegances.


The browser ecosystem is just fine, and competition is healthy, as long as web developers do not intentionally code their site to break within the rendering engine of their least favorite browser.

garpunkal said,
Yes stop using the browser.

Use the better browser: Firefox


I don't like the google's keylogger built in in this insecure single-process loud-mouthed browser that eats gigabytes of RAM.

garpunkal said,
Yes stop using the browser.

Use the better browser: Firefox

Firefox is actually the most crappy browser:
No sandbox (which makes it highly vulnerable to 0days flaws, especially flaws coming from plugins like flash player), no tabs isolation, it crashes often, flash player is even slower in firefox than in IE (it uses more CPU, which means less battery life on a laptop).

Since there are more than 100 flaws discovered each year in firefox (vs 30 in IE6), it is actually easier for hackers to find flaws in this browser. But since big business companies never use firefox but almost always use IE6, malicious hackers are not (yet) searching for flaw in firefox. There search flaws in products that companies actually use.

link8506 said,

Firefox is actually the most crappy browser:
No sandbox (which makes it highly vulnerable to 0days flaws, especially flaws coming from plugins like flash player), no tabs isolation, it crashes often, flash player is even slower in firefox than in IE (it uses more CPU, which means less battery life on a laptop).

Since there are more than 100 flaws discovered each year in firefox (vs 30 in IE6), it is actually easier for hackers to find flaws in this browser. But since big business companies never use firefox but almost always use IE6, malicious hackers are not (yet) searching for flaw in firefox. There search flaws in products that companies actually use.

And yet ALL security breaches involving browsers happen to be on your so called "better" browser IE, ALL, that tells you that number of flaws means nothing, since it's obvious Mozilla is actually patching the flaws unlike MS who would rather ignore the problem than fix it. And this BS that hackers aren't trying to find flaws in FF is just that BS, FF keeps gaining ground every year and in some countries has already surpassed IE in users, so there's no reason to believe hackers aren't actively trying, just that Mozilla actually patches most issues before they can be exploited and MS won't move a finger till after the exploit has been published

z0phi3l said,
And yet ALL security breaches involving browsers happen to be on your so called "better" browser IE, ALL, that tells you that number of flaws means nothing, since it's obvious Mozilla is actually patching the flaws unlike MS who would rather ignore the problem than fix it.

You're either supremely ignorant or out on a deliberate mission to spread FUD. The attacks are happening against IE6, and nobody is claiming that IE6 is a better browser than anything, even when put against such a craptacular product as Firefox.

Mozilla's security track record shows that multiple critical vulnerabilities exist in EVERY version of Firefox, even the latest and greatest. It leaks like a sieve, both in terms of security and RAM. Hackers may not yet be targeting it now, but there's no reason whatsoever that they can't. You're doing nothing but hanging onto a delusion of security, instead of real security.

z0phi3l said,

And yet ALL security breaches involving browsers happen to be on your so called "better" browser IE, ALL, that tells you that number of flaws means nothing, since it's obvious Mozilla is actually patching the flaws unlike MS who would rather ignore the problem than fix it.
They did fix the problem..they released IE7 and 8. They can't help it if businesses refuse to upgrade. Hell they could patch it and I'm sure many would take months to even bother applying those...it's happened before.

If MS is guilty of anything it's supporting older browsers as long as they do.

Edited by Smigit, Jan 21 2010, 2:41am :

You can never stop people trying to hack, just like we can never stop terror or racism.
The best that can be done is for M$ and MZ,Google to keep a head of the hackers.

There is a high dependency on IE6 in Enterprise, but even Microsoft have urged the uptake of IE8 (over IE7). It's much more stable and secure. Enterprise needs to start making the move, even though the old mantra "if it works, don't fix it" still kicks around, this is an critical move for IT.

Antaris said,
There is a high dependency on IE6 in Enterprise, but even Microsoft have urged the uptake of IE8 (over IE7). It's much more stable and secure. Enterprise needs to start making the move, even though the old mantra "if it works, don't fix it" still kicks around, this is an critical move for IT.

Once more businesses move over to Win7 then IE6 will get dropped more. The best thing MS did was with XP Mode for win7 , if you really need IE6 you can run it under that for any intranet only apps that for some reason or other don't work on newer versions of IE. And that VM IE6 basically can't screw around with your main Win7 host OS.

GP007 said,
Once more businesses move over to Win7 then IE6 will get dropped more. The best thing MS did was with XP Mode for win7 , if you really need IE6 you can run it under that for any intranet only apps that for some reason or other don't work on newer versions of IE. And that VM IE6 basically can't screw around with your main Win7 host OS.

A VM of IE6 isn't much of an option in the Corporate World. Since it's Windows XP running in the background that is another OS to patch up. While that VM may not have direct access to the hdd, you're using that virtualized IE6 to access Corporate resources. An unpatched WinXP machine is not something you want in your office.

IE6 is the standard in our office because of all the intranet sites and custom apps. IE7 is available, but that's on a limited basis and with a warning that some apps may not work. Once we roll out Win7, then we can finally get rid of IE6. Since that rollout will take a long time, that is plenty of time for procrastinating business segments to upgrade their sites/apps.

Edited by zeke009, Jan 19 2010, 6:39pm :

zeke009 said,

A VM of IE6 isn't much of an option in the Corporate World. Since it's Windows XP running in the background that is another OS to patch up. While that VM may not have direct access to the hdd, you're using that virtualized IE6 to access Corporate resources. An unpatched WinXP machine is not something you want in your office.

IE6 is the standard in our office because of all the intranet sites and custom apps. IE7 is available, but that's on a limited basis and with a warning that some apps may not work. Once we roll out Win7, then we can finally get rid of IE6. Since that rollout will take a long time, that is plenty of time for procrastinating business segments to upgrade their sites/apps.

YOU can run XP Mode with IE 7 or even IE 8 (as you correctly pointed out, it's still XP, and IE 8 is available). If the apps need patching, that is still something that the enterprise doubtless needs to do anyway because of other issues (while security is the biggest one, there are doubtless other issues that would be mitigated by "patching up", such as performance). Security issues indicate that something is broken, and needs fixing; so "if t isn't broke, don't fix it" does not apply. (Patching up DirectX 9 (to 9c) in Windows XP, for example, is a lot more than a security fix (though that is the largest vulnerability); the 9c upgrade also addresses several performance issues DX-wide.)