Home / News / Software News / Microsoft Issues IE6 Warning After Role In China Google Hack

Microsoft Issues IE6 Warning After Role In China Google Hack

Gordon Kelly

by

Microsoft Issues IE6 Warning After Role In China Google Hack

Anyone with a modicum of tech savvy knows to avoid Internet Explorer 6 like the plague (actually more so, we've cured the plague) - but for everyone else...

Following its unfortunate role in the Chinese Google hacks, Microsoft has made a formal statement about the vulnerabilities of the aged browser and also suggested - guess what? - don't use it!

"Microsoft is aware of public exploit code released that impacts customers using Internet Explorer 6 and of limited, targeted attacks attempting to use this vulnerability against Internet Explorer 6. As a result of the reports we released an update to Security Advisory 979352 to alert customers and provide actionable guidance and tools to help with protections against exploit of this IE vulnerability."

"Customers using Internet Explorer 8 are not affected by currently known attacks and exploits due to the improved security protections in IE8," it continued. "Microsoft teams are continuing to work around the clock on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing an out-of-cycle security update. Obviously, it is unfortunate that our product is being used in the pursuit of criminal activity. We will continue to work with Google, industry leaders and the appropriate authorities to investigate this situation."

Microsoft will issue further updates via its 'Security Response Center Blog'.

Of course all of this could have been avoided had consumers (and most predominantly) companies upgraded their PC browsers - but, unfortunately, this is easier recommended than followed. We're no big fans of Internet Explorer (6 or otherwise) at TrustedReviews and you'll find most tech enthusiasts aren't. Given its massive install base it is the first point of attack for hackers who also know it is the browser of choice for most casual users who don't know about the alternatives.

Of these in terms of performance, stability, use of system resources (especially for older machines) and overall simplicity I'd recommend Google Chrome - especially the latest beta. But whatever your browser choice the key message is simple: don't make it Internet Explorer 6.

Update: This much needed patch for IE6 is now out. Microsoft TechNet has details.

Link:

Security Response Center Blog

IE6 Patch (Don't patch it - upgrade)

Pbryanw

January 18, 2010, 7:15 am

In other news, The German government has warned web users to find an alternative browser to Internet Explorer to protect their security: http://news.bbc.co.uk/1/hi/tec...





Here's hoping the British government follow suit (what's that a flying pig..I'll be da...)

ilovethemonkeyhead

January 18, 2010, 11:32 am

try and get the millions of businesses who are totally apathetic to this kind of thing and are just too damn near lazy to change their browsers - they use the tired excuse of "it's more compatible with the 2 websites that would take 5 minutes to make it work with other browsers"





they'll be the death of us all

needlegun

January 18, 2010, 2:37 pm

One of the customers I support has nearly 17,000 users all on IE 6, and they've no plans to change any time soon worst luck.

BobaFett

January 18, 2010, 2:53 pm

What's most surprising is why Google employees would use Internet Explorer as their default browser, instead of Chrome or even Firefox perhaps. Makes me wonder whether this was all a conspiracy by Google to dent IE's market share.

Simon

January 18, 2010, 3:15 pm

@ilovethemonkeyhead Totally agree that they are apathetic about upgrading. At my work we (1200 staff) have to use IE6 and IT have locked down each PC to not allow any installation of software. Thank heavens for Portable Firefox running off a USB stick!

Kevsta

January 18, 2010, 4:22 pm

The problem with corporates is they remain on IE6 because a lot of their applications depend on it, and the cost of upgrading is prohibitively expensive.





one company that I did work for still used IE6 because the main sales app used by 25'000 people would cost £10'000 per node upgrade! And there were other applications that wouldn't work with anything other than IE6 that other departments used.





They estimated it would cost £100 million to upgrade all the client and server software because IE7 broke it. It works so they don't upgrade.

hankb6d

January 18, 2010, 4:29 pm

@pbryanw





Yes the UK government have a stellar CV techwise LOL





A shame MS are not in a position to sue the BBC and the Germans, the sensationalism of auntie beeb is pathetic they are turning into Sky it appears. A similiar hole was found in FF but it does not grab a headline like rusty old IE /yawns.

Rickysio

January 18, 2010, 7:01 pm

@BobaFett





Because they aren't Google employees. Those that got haxxed were mostly human rights activists, who aren't Google employees.





And as for the retarded administrators who refuse to take the time and update the god damn browser, I keep bringing around my portable thumbdrive(s), 1 with a bootable copy of Ubuntu and the other with my documents and portable firefox. Ubuntu - because some administrators manage to wreck something in Windows and make running portable programs impossible (they consistently crash upon loading for some reason) - and because it makes the PC impossible to use for anyone else other than me. Singaporeans are in general tech-noobs, sadly/fortunately. ;D

Guest

January 18, 2010, 8:09 pm

Dear or dear, a lot of ignorance in here about how businesses operate! Kevsta is absolutely right in what he says. It is all about cost vs risk and very little to do with being apathetic. For a large organisation it costs an absolute fortune to test every business system with a new browser (and that assumes they work ok), get the browser integrated into their SOE and then deploy it out to the user community. They are not going to do it just so their employees get a better experience in Facebook and the like! Obviously they have to mitigate the security risks, but there are other solutions to that (which may well be a lot cheaper to them than replacing the browser). Also, in these tough economic times these kind of upgrades get pushed even lower down the pecking order.

Chris

January 18, 2010, 9:52 pm

@Steve32: Thanks for that. I was starting to feel that IT departments were under-represented...





It really boils down to a simple cost-benefit calculation. If the new browser costs more to install than the money it saves, then there's no point in doing it. Unlike consumers, business users don't upgrade their browsers just because they like the flashy graphics of the new version. IT Managers have to be able to justify why they're spending thousands to upgrade the software. It's hardly ideal, but that's the way the world works.





On top of that, I guarantee that if a company were to upgrade 1000 IE6 users to IE8 overnight, their support desk would be inundated with calls from end-users asking stupid stuff like 'Where are my favourites? I liked it before. What was wrong with the old version?'. This increases the overall cost of the upgrade, which has to be factored in.





It's this kind of layman attitude towards IT departments that really pi***s me off, which is one of the reasons why I moved from infrastructure to software development.

BobaFett

January 19, 2010, 6:00 am

@Rickysio: There aren't a lot of details to go on I'll admit, but Google does mention theft of intellectual property which one would hope happened by a Google employee succumbing to a zero day exploit rather than an exploitable hole in Google's public facing network. The latter would certainly be a scarier proposition and one that would make for much bigger news.





http://googleblog.blogspot.com...

ffrankmccaffery

January 19, 2010, 2:22 pm

And long may it continue to reign. One of the few advantages of IE6 is that it holds back developers from fully introducing exactly the kind of web 2.0 technologies that plague and clog the net.

montyburns

January 20, 2010, 2:06 am

@ffrankmccaffery: I see where you're coming from - inexperienced developers and, just as likely, ignorant CEOs and marketing types etc., can produce some truly sickening UIs on their sites these days.





However, I can't condone your belief that IE6's continued prevalence is a good thing. From an experienced web developer's POV, IE6 is a horrid, putrid piece of non-standards-compliant software and it is, in fact, IE6's continued existence and market share which, IMHO, is the cause of much of the bloat and dodgy UIs out there at the moment. Why? Because we web developers have to develop for the latest and greatest standards compliant browsers, the lowest common denominators (i.e. non-javascript enabled, text only, screen readers, etc), AND then cater for IE6 specifically! The first two are easy, the latter really does require dirty, dirty hacks. Until you've done at least some web development, I don't think anyone can know the pain! IE7 is infinitely better, and IE8 a tiny bit better still, but MS have really dropped the ball some years ago in the web browser market. I don't actually have anything against MS or their software in general, BTW.





I've done my time in large multi-nationals also and I agree with the guys describing just why it is so unimportant for them to upgrade or switch browsers - but I have to say it's a shame, and I wish some CTOs, etc., who care about the web and their users would encourage the change.





Oh, and how very dare you use the term Web 2.0! (just joking, but I do hate that term...)

MrGodfrey

January 21, 2010, 12:47 am

Chris and Steve32: I work in a large-ish organisation, which has indeed upgraded just under 1000 users from IE6 to IE7. It didn't happen overnight, but was done in a fairly short space of time. As it was IE7 and not IE8, the change was not too painful for average users, but still with significant benefits.





You joke about "flashier graphics" or Facebook being the motives for wanting to upgrade (so they don't block Facebook in your business? How trusting!) However I suspect that most people who have to use a browser for any extended period of time, simply want one which isn't atrocious. It stands to reason that IE6's faults cause time and money to be wasted, and not only in the event of someone exploiting the weak security. I assume this is also included in the cost-benefit calculation. But my experience suggests that when it comes to managers persuading their superiors of the benefits of any course of action, it's not just a simple cost-benefit calculation of which will cost or save more money - often it's just about which will cost or save more money IN THE SHORT TERM. And so I sympathise and wish you the best of luck in trying to persuade your bosses to let you fix or improve anything.





P.s. why is "Where are my favourites" a stupid question? That kind of IT department attitude to laymen p***es me off :P

Chris

January 22, 2010, 7:44 pm

@MrGodfrey: I can certainly agree that many upgrade decisions are made to save money in the short term, but I found it was often difficult to justify a potential cost saving until there's an obvious reason. The subject of this article would certainly qualify, and could very well spur many IT departments into an IE upgrade.





Just to clarify, I wasn't expressing my frustration at everyday users posing questions like 'where are my favourites?'. Handling such questions with objective sensitivity is part of the job. My frustration stems more from the common opinion that IT departments delay upgrades due to apathy, which is unfounded.

comments powered by Disqus