It's time to stop using IE6

It's time to stop using IE6

Summary: If your organization is still using Internet Explorer 6 on Windows XP, just stop. Stop it now. The marketplace is filled with credible alternatives to IE6, including significant updates from Microsoft, but some large organizations insist on sticking with this old, insecure platform. Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice. Here's why.


If your organization is still using Internet Explorer 6 on Windows XP, just stop. Stop it now.

The marketplace is filled with credible alternatives to IE6, including Mozilla Firefox and Google Chrome. If you need to use Internet Explorer because it's required for compatibility with specific websites or apps, you have alternatives from Microsoft itself. IE6 was replaced with the newer, more secure Internet Explorer 7 in October 2006, more than 40 months ago. And Internet Explorer 8 was released in March of 2009, nearly a year ago. Both browsers have large improvements in usability, including tabbed browsing, but their biggest selling point is security.

Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice. Think that judgment is too harsh? Ask the security experts at Google, Adobe, and dozens of other large corporations that are cleaning up the mess from a wave of targeted attacks that allowed source code and confidential data to fall into the hands of well-organized intruders. The entry point? According to Microsoft, it's IE6:

At this time, we are aware of limited, targeted attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other versions of Internet Explorer.


Newer versions of Internet Explorer and later Windows releases are at reduced risk to the exploit we have seen due to platform mitigations explained in the blog post below.

Under the "Mitigating Factors" heading, the Microsoft Security Response Center specifically notes that the exploit used in this case does not run under IE7 and IE8 in Windows Vista or Windows 7. You've got one extra layer of protection if you use IE8, even under Windows XP Service Pack 3, thanks to Data Execution Prevention, which is enabled by default.

The accompanying blog post from Jonathan Ness of the Microsoft Security Research Center Engineering group is even more blunt:

I want to make one thing perfectly clear. The attacks we have seen to date, including the exploit released publicly, only affect customers using Internet Explorer 6. As discussed in the security advisory, while newer versions of Internet Explorer are affected by this vulnerability, mitigations exist that make exploitation much more difficult.

If your organization is still forcing you to use IE6 on Windows XP, send this blog post to your CEO, your CIO, and every member of your company's Board of Directors. Be sure to include this graphic:

Yes, this vulnerability will be patched, probably within days. But the next one is just around the corner, or perhaps an exploit is being deployed right now. In 2010, with multiple alternatives available, there is no excuse for continuing to use an insecure Internet infrastructure.

IE6 users, it's time to move on. Your IT staff has had more than three years to come up with alternatives to IE6. If they can't handle it, maybe it's time to replace them, too.

Topics: Browser, Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Is your organization still using IE6?

    If you work for a corporation that is still using IE6 on XP or Windows 2000, why? Have you asked your IT staff why they haven't moved to a more secure browser?
    Ed Bott
    • The UK's National Health Service

      These guys should be concerned about the security of their files....

      The NHS, the largest employer in Europe, refuses to upgrade to IE7, and deliberately downgrades PCs to Windows XP without upgrading the browser. This is blamed on compatability and finances, and to be fair the companies who make a lot of software for Primary Health Care have done little to make switching easy, if anything. Costs on the other hand is ridiculous, the NHS is a sinkhole for money already this would save time and money.

      Security issues have been pointed out and flat out denied by the IT departments. Often the decision to upgrade or not is made by the Health Care Trust in charge but I can say from experience that I haven't seen an NHS machine in the North West of the UK using anything past XP and browsers other than IE6 are discouraged at best.

      * I write this as a Junior doctor working in Hospitals and General Practices. My family is in healthcare and we are constantly reminded that we aren't "allowed" to upgrade.
      • I suggest we stop using HTML all together

        It started as a bunch of documentation tags. It was never designed to be an APP framework to meet nowadays online app development requirement. The current HTML5 is loaded w/ backward compatibilities that just don't fly at all.
        • Partly . . .

          I'd agree with the basic point - that HTML/CSS was never, originally,
          designed to be the one true presentation layer (at the time it was
          conceived, that was probably DisplayPDF).

          However . . . the history of IT in the last few decades is that we don't
          really get a choice in what technology is used. Windows was the worst
          available GUI system (compared to GEMM, OS/2, X-Windows,
          AmigaOS, MacOS, and NeXT) - but it thrived.

          With Web apps, I've seen my teams productivity become a quarter of
          what it was a decade ago - but it is what people demand.

          On the other hand, HTML 5/JavaScript 5 do at least approach things
          from the perspective of application development, rather than a static
          document focus. And far from being backward compatible, HTML 5
          deprecates earlier HTML elements (browsers, of course, need to
          remain backwardly compatible with earlier specs).

          And I can't think of any security problems with HTML itself - as
          opposed to, say, CSS Expressions, or some of the flaws that are
          inherent in JavaScript's defined behaviour (which V5 will correct - the
          ability to protect your objects from modification or access by third
          party scripts).

          The other alternatives (Flash/Flex) have their known security problems
          • web apps, web services are not going away

            To think we should move away from web apps, web
            services etc is foolish. Its become a highly
            portable, very capable platform for delivering
            applications via a network. It also makes the
            concept of server deployed apps far more
            feasible, easier to manage and deploy. The
            problem are companies that are lazy about
            upgrading their applications and more so,
            companies like Microsoft for not enforcing an
            expiration of these older legacy browsers. We
            are heading into an age where web standards are
            finally reaching some cohesion. Even Microsoft
            is following suit with IE8. For years many web
            developers have been pleading to get people off
            of IE6. Hopefully this time some IT managers
            and users will wake up to the problem and
      • Typical Government SNAFU.

        I have written before* about the complete ineptitude of UK government projects that are specified and planned by the non-technical bureaucrats. This is just another example of stupidity that will cost a lot to fix (at government prices and tax payer expense.)


        SNAFU = Situation Normal All F#%ked-Up
        • Don't know of many governments

          that are are void of those types of problems :)
          John Zern
    • Our main customers are

      Noone in my company uses IE6 besides for testing purpose. However most of us are stuck with Windows XP and this is seriously becoming annoying if not painful. Fortunately, we should start a full migration toward Windows 7 this year. Most of our servers are already running on WIndows 2008 and Windows 2008 R2.
      Our main customers on the other hand, are still using XP and IE6 on many of their computers. One of them has reccurent security problems linked to how outdated is their Information System. As both their software provider and solutions consultant, we have been trying since several years to make them upgrade their system. Unfortunately some of their main IT managers are fighting our efforts with a passion. Fortunately, they are considering upgrading to Windows 7 before the end of the next year. So with some luck they will be almost up to date for 2012.
      • re

        I don't understand why these IT managers don't at
        least want to upgrade people to IE7 or better yet
        IE8, Chrome, Firefox etc. I know one of the
        reasons is that they may have old internal web
        apps that were built specifically for IE6. If
        thats the case, don't they realize if they upgrade
        to windows 7 (a good thing) there is no way to go
        back to IE6? I don't get the logic?
    • Intranet sites & testing

      I've found the excuse is usually web apps and Intranet sites, often in a semi-abandoned state, where there are fears that changing browser will break them.

      Nobody wants to put up the budget to even test the sites to see if the fears are valid, let alone the budget to fix them if required.

      It's gotta happen one day, though...

      Corporate IT is usually extremely short sighted, at least at most of the large organisations I have worked. It's always seen as a drain on the organisation's budget, a necessary cost that needs to be minimised, rather than something that if you spent and plan wisely can boost your company's performance by providing good tools (e.g. NOT Lotus Notes, heh).
      • lol lotus notes

        I would probably be close to committing suicide if
        I had to use lotus notes =P
    • Nope

      We're still running Xp for now but, have switched to Firefox for student browsing.
      The one and only, Cylon Centurion
    • It's time to stop using IE

      I fixed your title.

      IE has been the bane of web standards for far too long, it needs to die. It doesn't even have a Firebug equivalent in this world of AJAX. How are you supposed debug AJAX in IE?
      • its time to stop taking any post of yours seriously

        There fixed your messup.
    • HP server management tools

      HP Server, network and SAN management tools still require IE6 to manage servers (iLO Advanced with virtual media, Virtual Connect Manager, and so on), so I keep a VM with XP around for that purpose - severely locked down of course. The VM has DNS resolution turned off and has to be configured with a static IP appropriate for the management LAN.

      I keep another one for twisted partner portals and management tools that require it, similarly locked down.

      Some enterprises embraced .ASP and .NET (and MS Java) very early, and enthusiastically hired contractors to build them line-of-business applications around those technologies to migrate away from mainframes. Now they have neither the source code nor the skills to migrate away from IE6. No matter how much they wanted to adopt Vista they could not - and they did want to top to bottom and bottom to top. They will be among the last to adopt Windows 7 - and they will build in dependency on Microsoft platforms again, forcing a skip of the next generation of OS as well when dependencies for W7 prevent migration again. That's fine for Microsoft though because they're all on SA and are buying the licenses regardless. Sometimes IT is a theatre of the absurd. I have no doubt that the refresh of the HP management tools will require IE8.

      These VMs and browsers are special purpose tools like SAE wrenches. They're not for every day use but handy when you need them.

      The trap of IE6 continues with IE7 and IE8 BTW, and will continue to do so with ensuing versions. The nonstandard features of Microsoft browsers serve only to create dependency on Microsoft web platforms like Sharepoint and .NET - to our detriment. They ensure that I'll need VMs with version specific browsers from now until my IT career is done. It's sad, really.

      There's no excuse for this nonsense. People who aren't Microsoft should know better than to implement web applications as browser dependent tools. They should have known this a decade ago. They get paid to know these things - it's just not professional. There are good standards and they work fine - see Google Maps for a nice example. If your app needs an interface more sophisticated than that it probably should be a client/server app rather than web based. I can see why Microsoft's partner portal requires Silverlight - but I can't see why any non-Microsoft website on the Internet or web management tool does. It's plain laziness.
    • Because...

      they were silly enough to create browser-based applications that used ActiveX and they only work in IE. Also, there is no compelling reason to move beyond XP other than the insecurity of IE 6.

      Security is dealt with by seriously limiting what you can access from corporate desktops - no web mail, no social networking sites, no site classified as entertainment, sport, finance, etc. There are a few exceptions, e.g. reputable banks sites are accessible.

      And some of us run Firefox with a few well-chosen add-ons.
      Fred Fredrickson
      • AFAIK, ActiveX was used...

        because everyone at the time wanted light-weight web-based apps that looked like desktop ones and the browsers were lacking in UI to the degree of utter ugliness. The Java applets did too, to less extent, but they were slow, buggy and relatively difficult to develop for.

        Another example why native code was used: try to use Firefox 2 on an old computer and visit a modern site with advanced UI ( or How fast are they? So, using standard features of old browsers wasn't just enough. IE provided a solution that customers liked; Netscape just died.

        So one point to look at it is a pay-off for getting ahead of the standards and not planning for consequences.

        By the way the same continues with Flash. Nearly every site uses Flash one way or another, and it introduces another source of vulnerabilities.
      • No Compelling Reason to Move Beyond XP...

        I find that there are quite a few GOOD reasons to migrate to Windows 7 from XP, namely the DirectAccess, BranchCache, and Federated Search features.
        Yes, they require an orgaization update most of its server infrastructure to Server 2008 R2, but I think these would be good reasons to upgrade.

        With that in mind, I wouldn't go to Win7 as a "Blanket" upgrade, but perhaps as I am replacing workstations.
        Paul Newell
        • Windows 7 is a worthy secure upgrade.

          I was one of those people that was really upset
          with Vista. I felt there was no need to migrate
          from XP. When I got windows 7 installed on my
          workstation at work I immediately noticed it
          was far more stable, less resource intensive
          then Vista. Like Vista it was more secure out
          of the box. In fact there are many things that
          are disabled or not installed by default.
          Unlike Vista the UAC is not annoying and can be
          modified. Windows 7 is very stable. My only
          issue is that moving large number of files and
          folders still seems faster in XP.
    • Yes

      Legacy applications galore. Lots of it is probably bad programmming (makes bad assumptions about the browser) but it's pretty locked in.