If your organization is still using Internet Explorer 6 on Windows XP, just stop. Stop it now.
The marketplace is filled with credible alternatives to IE6, including Mozilla Firefox and Google Chrome. If you need to use Internet Explorer because it's required for compatibility with specific websites or apps, you have alternatives from Microsoft itself. IE6 was replaced with the newer, more secure Internet Explorer 7 in October 2006, more than 40 months ago. And Internet Explorer 8 was released in March of 2009, nearly a year ago. Both browsers have large improvements in usability, including tabbed browsing, but their biggest selling point is security.
Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice. Think that judgment is too harsh? Ask the security experts at Google, Adobe, and dozens of other large corporations that are cleaning up the mess from a wave of targeted attacks that allowed source code and confidential data to fall into the hands of well-organized intruders. The entry point? According to Microsoft, it's IE6:
At this time, we are aware of limited, targeted attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other versions of Internet Explorer.
Newer versions of Internet Explorer and later Windows releases are at reduced risk to the exploit we have seen due to platform mitigations explained in the blog post below.
Under the "Mitigating Factors" heading, the Microsoft Security Response Center specifically notes that the exploit used in this case does not run under IE7 and IE8 in Windows Vista or Windows 7. You've got one extra layer of protection if you use IE8, even under Windows XP Service Pack 3, thanks to Data Execution Prevention, which is enabled by default.
The accompanying blog post from Jonathan Ness of the Microsoft Security Research Center Engineering group is even more blunt:
I want to make one thing perfectly clear. The attacks we have seen to date, including the exploit released publicly, only affect customers using Internet Explorer 6. As discussed in the security advisory, while newer versions of Internet Explorer are affected by this vulnerability, mitigations exist that make exploitation much more difficult.
If your organization is still forcing you to use IE6 on Windows XP, send this blog post to your CEO, your CIO, and every member of your company's Board of Directors. Be sure to include this graphic:
Yes, this vulnerability will be patched, probably within days. But the next one is just around the corner, or perhaps an exploit is being deployed right now. In 2010, with multiple alternatives available, there is no excuse for continuing to use an insecure Internet infrastructure.
IE6 users, it's time to move on. Your IT staff has had more than three years to come up with alternatives to IE6. If they can't handle it, maybe it's time to replace them, too.