It's time to stop using IE6
Summary: If your organization is still using Internet Explorer 6 on Windows XP, just stop. Stop it now. The marketplace is filled with credible alternatives to IE6, including significant updates from Microsoft, but some large organizations insist on sticking with this old, insecure platform. Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice. Here's why.
If your organization is still using Internet Explorer 6 on Windows XP, just stop. Stop it now.
The marketplace is filled with credible alternatives to IE6, including Mozilla Firefox and Google Chrome. If you need to use Internet Explorer because it's required for compatibility with specific websites or apps, you have alternatives from Microsoft itself. IE6 was replaced with the newer, more secure Internet Explorer 7 in October 2006, more than 40 months ago. And Internet Explorer 8 was released in March of 2009, nearly a year ago. Both browsers have large improvements in usability, including tabbed browsing, but their biggest selling point is security.
Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice. Think that judgment is too harsh? Ask the security experts at Google, Adobe, and dozens of other large corporations that are cleaning up the mess from a wave of targeted attacks that allowed source code and confidential data to fall into the hands of well-organized intruders. The entry point? According to Microsoft, it's IE6:
At this time, we are aware of limited, targeted attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other versions of Internet Explorer.
[…]
Newer versions of Internet Explorer and later Windows releases are at reduced risk to the exploit we have seen due to platform mitigations explained in the blog post below.
Under the "Mitigating Factors" heading, the Microsoft Security Response Center specifically notes that the exploit used in this case does not run under IE7 and IE8 in Windows Vista or Windows 7. You've got one extra layer of protection if you use IE8, even under Windows XP Service Pack 3, thanks to Data Execution Prevention, which is enabled by default.
The accompanying blog post from Jonathan Ness of the Microsoft Security Research Center Engineering group is even more blunt:
I want to make one thing perfectly clear. The attacks we have seen to date, including the exploit released publicly, only affect customers using Internet Explorer 6. As discussed in the security advisory, while newer versions of Internet Explorer are affected by this vulnerability, mitigations exist that make exploitation much more difficult.
If your organization is still forcing you to use IE6 on Windows XP, send this blog post to your CEO, your CIO, and every member of your company's Board of Directors. Be sure to include this graphic:
Yes, this vulnerability will be patched, probably within days. But the next one is just around the corner, or perhaps an exploit is being deployed right now. In 2010, with multiple alternatives available, there is no excuse for continuing to use an insecure Internet infrastructure.
IE6 users, it's time to move on. Your IT staff has had more than three years to come up with alternatives to IE6. If they can't handle it, maybe it's time to replace them, too.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Is your organization still using IE6?
The UK's National Health Service
The NHS, the largest employer in Europe, refuses to upgrade to IE7, and deliberately downgrades PCs to Windows XP without upgrading the browser. This is blamed on compatability and finances, and to be fair the companies who make a lot of software for Primary Health Care have done little to make switching easy, if anything. Costs on the other hand is ridiculous, the NHS is a sinkhole for money already this would save time and money.
Security issues have been pointed out and flat out denied by the IT departments. Often the decision to upgrade or not is made by the Health Care Trust in charge but I can say from experience that I haven't seen an NHS machine in the North West of the UK using anything past XP and browsers other than IE6 are discouraged at best.
* I write this as a Junior doctor working in Hospitals and General Practices. My family is in healthcare and we are constantly reminded that we aren't "allowed" to upgrade.
I suggest we stop using HTML all together
Partly . . .
designed to be the one true presentation layer (at the time it was
conceived, that was probably DisplayPDF).
However . . . the history of IT in the last few decades is that we don't
really get a choice in what technology is used. Windows was the worst
available GUI system (compared to GEMM, OS/2, X-Windows,
AmigaOS, MacOS, and NeXT) - but it thrived.
With Web apps, I've seen my teams productivity become a quarter of
what it was a decade ago - but it is what people demand.
On the other hand, HTML 5/JavaScript 5 do at least approach things
from the perspective of application development, rather than a static
document focus. And far from being backward compatible, HTML 5
deprecates earlier HTML elements (browsers, of course, need to
remain backwardly compatible with earlier specs).
And I can't think of any security problems with HTML itself - as
opposed to, say, CSS Expressions, or some of the flaws that are
inherent in JavaScript's defined behaviour (which V5 will correct - the
ability to protect your objects from modification or access by third
party scripts).
The other alternatives (Flash/Flex) have their known security problems
too.
web apps, web services are not going away
services etc is foolish. Its become a highly
portable, very capable platform for delivering
applications via a network. It also makes the
concept of server deployed apps far more
feasible, easier to manage and deploy. The
problem are companies that are lazy about
upgrading their applications and more so,
companies like Microsoft for not enforcing an
expiration of these older legacy browsers. We
are heading into an age where web standards are
finally reaching some cohesion. Even Microsoft
is following suit with IE8. For years many web
developers have been pleading to get people off
of IE6. Hopefully this time some IT managers
and users will wake up to the problem and
upgrade.
Typical Government SNAFU.
*http://talkback.zdnet.com/5208-13604-0.html?forumID=1&threadID=73115&messageID=1417953&tag=content;col1
SNAFU = Situation Normal All F#%ked-Up
Don't know of many governments
Our main customers are
Our main customers on the other hand, are still using XP and IE6 on many of their computers. One of them has reccurent security problems linked to how outdated is their Information System. As both their software provider and solutions consultant, we have been trying since several years to make them upgrade their system. Unfortunately some of their main IT managers are fighting our efforts with a passion. Fortunately, they are considering upgrading to Windows 7 before the end of the next year. So with some luck they will be almost up to date for 2012.
re
least want to upgrade people to IE7 or better yet
IE8, Chrome, Firefox etc. I know one of the
reasons is that they may have old internal web
apps that were built specifically for IE6. If
thats the case, don't they realize if they upgrade
to windows 7 (a good thing) there is no way to go
back to IE6? I don't get the logic?
Intranet sites & testing
Nobody wants to put up the budget to even test the sites to see if the fears are valid, let alone the budget to fix them if required.
It's gotta happen one day, though...
Corporate IT is usually extremely short sighted, at least at most of the large organisations I have worked. It's always seen as a drain on the organisation's budget, a necessary cost that needs to be minimised, rather than something that if you spent and plan wisely can boost your company's performance by providing good tools (e.g. NOT Lotus Notes, heh).
lol lotus notes
I had to use lotus notes =P
Nope
It's time to stop using IE
IE has been the bane of web standards for far too long, it needs to die. It doesn't even have a Firebug equivalent in this world of AJAX. How are you supposed debug AJAX in IE?
its time to stop taking any post of yours seriously
HP server management tools
I keep another one for twisted partner portals and management tools that require it, similarly locked down.
Some enterprises embraced .ASP and .NET (and MS Java) very early, and enthusiastically hired contractors to build them line-of-business applications around those technologies to migrate away from mainframes. Now they have neither the source code nor the skills to migrate away from IE6. No matter how much they wanted to adopt Vista they could not - and they did want to top to bottom and bottom to top. They will be among the last to adopt Windows 7 - and they will build in dependency on Microsoft platforms again, forcing a skip of the next generation of OS as well when dependencies for W7 prevent migration again. That's fine for Microsoft though because they're all on SA and are buying the licenses regardless. Sometimes IT is a theatre of the absurd. I have no doubt that the refresh of the HP management tools will require IE8.
These VMs and browsers are special purpose tools like SAE wrenches. They're not for every day use but handy when you need them.
The trap of IE6 continues with IE7 and IE8 BTW, and will continue to do so with ensuing versions. The nonstandard features of Microsoft browsers serve only to create dependency on Microsoft web platforms like Sharepoint and .NET - to our detriment. They ensure that I'll need VMs with version specific browsers from now until my IT career is done. It's sad, really.
There's no excuse for this nonsense. People who aren't Microsoft should know better than to implement web applications as browser dependent tools. They should have known this a decade ago. They get paid to know these things - it's just not professional. There are good standards and they work fine - see Google Maps for a nice example. If your app needs an interface more sophisticated than that it probably should be a client/server app rather than web based. I can see why Microsoft's partner portal requires Silverlight - but I can't see why any non-Microsoft website on the Internet or web management tool does. It's plain laziness.
Because...
Security is dealt with by seriously limiting what you can access from corporate desktops - no web mail, no social networking sites, no site classified as entertainment, sport, finance, etc. There are a few exceptions, e.g. reputable banks sites are accessible.
And some of us run Firefox with a few well-chosen add-ons.
AFAIK, ActiveX was used...
Another example why native code was used: try to use Firefox 2 on an old computer and visit a modern site with advanced UI (slashdot.org or gizmodo.com). How fast are they? So, using standard features of old browsers wasn't just enough. IE provided a solution that customers liked; Netscape just died.
So one point to look at it is a pay-off for getting ahead of the standards and not planning for consequences.
By the way the same continues with Flash. Nearly every site uses Flash one way or another, and it introduces another source of vulnerabilities.
No Compelling Reason to Move Beyond XP...
Yes, they require an orgaization update most of its server infrastructure to Server 2008 R2, but I think these would be good reasons to upgrade.
With that in mind, I wouldn't go to Win7 as a "Blanket" upgrade, but perhaps as I am replacing workstations.
Windows 7 is a worthy secure upgrade.
with Vista. I felt there was no need to migrate
from XP. When I got windows 7 installed on my
workstation at work I immediately noticed it
was far more stable, less resource intensive
then Vista. Like Vista it was more secure out
of the box. In fact there are many things that
are disabled or not installed by default.
Unlike Vista the UAC is not annoying and can be
modified. Windows 7 is very stable. My only
issue is that moving large number of files and
folders still seems faster in XP.
Yes