Dealing with the Pain of Giving Up IE6

Dealing with the Pain of Giving Up IE6

Summary: Browsium's CEO explains why they've created a Web extension that will let users run IE6 inside of newer versions of Internet Explorer.


I hate, hate IE 6. If I were the CIO of a company that was still running IE 6, which it turns out 20% of businesses still are, I'd blast it out with dynamite. But, some companies, said Browsium CEO, Matt Heller, just can't seem to get rid of IE6. That's why his company came up with an extension that lets you run IE6 inside newer, safer versions of IE.

I'm not crazy about the idea of enabling companies to continue their bad IE6 habit, but Heller explained, "We want to see IE6 go away too. Having spent years working with business customers around the world, it's clear they just can't make that happen without a decent amount of pain. It's not our intent to keep enterprises browsing with IE6 and we believe UniBrows will actually help remove IE6 from the Web."

Heller continued, "As you point out in your article, many companies are still running IE6 - and are tied to it for internal legacy applications that work only with IE6, and updating those apps is costly and time consuming. This is a major reason why many companies have not moved to Windows 7 and IE8-so their employees are forced to browse the ENTIRE web with IE6. With our solution in place enterprises can move to IE8 for 'normal' browsing and use UniBrows to access those internal IE6 legacy applications inside an IE8 tab. Over time, more UniBrows deployments will mean that more external web sites will see only IE8 and IE9, and less IE6, not the other way around."

As for IE6's lack of security, one of the main reasons why I'd toss IE6 out of an enterprise so hard it would bounce, Heller tries to address this. "IE6 is clearly less secure than IE8, so running IE6 standalone, virtualized, or in an IE tab increases the attack surface of a system-this is unavoidable. UniBrows offers mitigations that counteract the increased risk of running IE6, something that standalone IE and virtualized solutions do not. These mitigations fall into four areas:"

- Policy Blending - Opt-In Rules Model - Profiles and Custom Registry, Files, and ActiveX Controls - Exclusionary Rules

Policy Blending: UniBrows begins to reduce the attack surface introduced by IE6 through the "blending" of IE6 and IE8 security policies. When UniBrows is loaded inside an IE tab, the UniBrows plugin passes along the IE8 policies and restrictions to the IE6 browser engine, many of which have remained the same between the two versions. UniBrows takes over where IE6 left off by protecting the IE6 tab from two areas where these policies and restrictions differ: binary plugins and window control. Our plugin sits in between the IE6 engine, the Webpage, and users to intercept potentially dangerous actions by a Webpage (loading an IFRAME, sending content across domains, and installing ActiveX controls) and blocks those actions that do not match IE8 settings and UniBrows rules. In the case of ActiveX controls, IE defers to the IE8 security model by passing the request along to the IE8 control installer.

Opt-In Rules Model: Sites running inside of UniBrows run outside of Protected Mode, much like intranet sites in IE8+ and Trusted Sites in IE7+. To reduce potential attack surface, UniBrows uses rules as an opt-in mechanism; at the most basic level the Rules Configuration Manager provides a layer of protection against compromise. By enforcing the rules as we do, sites can only render using the IE6 functionality when manually configured by the organization. Unlike Google Chrome Frame or similar solutions, there is no ability for the remote site to trigger the rendering switch. Our IE integration is done so that UniBrows can take over rendering when configured to do so, but is completely unexposed the rest of the time - shutting down the attack surface. Rules can also be ordered; this is important for rules that may be subsets of each other or for exclusionary rules (described below). While we do offer the ability to create overly broad rules, such as an 'Internet' zone rule, we strongly discourage that behavior as it provides virtually no enhancements or protections over a standard IE6 installation.

Profiles and Custom Registry, Files, and ActiveX Controls: Another UniBrows security design is part of the new features for Beta 2. In the latest release we have included a feature called 'Profiles', which enable you to create granular system and ActiveX settings for a rule or groups of rules. For example, you can use Profiles to configure a locked down registry as well as define specific ActiveX controls that are to be used for anything matching that rule. From a security perspective, this new feature enables granular control and protections that have never been available in IE before. Profiles even let you control whether DEP/NX is enabled or not for sites in that rule set. Some have described this feature as 'Enhanced Zones', but unlike the Zone Model where you group sites and have limited settings control, you can define as many Profiles as you would like and make the settings very specific.

Exclusionary Rules: Rules can be defined for the 'default browser', meaning you can use our Profiles feature to make custom settings for IE8 and lock it down even further. Profiles using the "default browser" as their browser engine can be used to enhance the IE8 settings and extend configuration options to a deeper level of security than currently available from any other solution.

Lastly, UniBrows was designed around the concept of 'Steady State' meaning that if a malicious control or user attempts to circumvent our mitigations and use the loosened restrictions to change IE settings/policies or even changes to the system itself, these changes only exist for the lifetime of the process. For instance, if I load an Ax control that uses some security flaw (buffer overrun, for example) in IE6 to run a command like "del /s /q c:\*" (delete all files on the c: drive), our process makes the control think that the command was successful when, in fact, nothing really happened.

I'm impressed by Heller's effort. At best though I see UniBtows as a stop-gap. The smarter move is still to bite the bullet and kill off your company's antique IE 6-specific Web applications for up-to-date multi-Web browser applications. That said, if you really can't give up your old IE 6 applications, UniBrows for $5 per year per user, is a better idea than just continuing to run IE 6.

Topics: Browser, Microsoft, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Dealing with the Pain of Giving Up IE6

    No pain here.
  • OK, we GET it!

    This is the millionth time a ZDNet blogger has blogged how much they hate IE6. Guess what? We get it! Everybody hates it because it is old and not secure, but to blog so much about it is just crazy. Time to let it go...
    • Not time to let go ..... time to spend money

      @statuskwo5 They complain about it now ... but 8 years ago the world was warned about the bastardized platform. They ignored logic and decided to eat the excrement that MS was selling them. Now they must pay the concequences.

      So they should not stop complaining because it is "time to let go". They should stop b!tchy!ng because IT IS THEIR OWN DARN FAULT for using a technology that cripple their ability for future expansion.
      • RE: Dealing with the Pain of Giving Up IE6

        @wackoae That's not entirely true for all that hate IE6. For starters, I am a Web developer that never touched IE whenever it was humanly possible. The bigger issue here is that I write websites that are visited by people still using the archaic browser. That means I have to weigh 2 options:

        1) Tell IE6 users to blow it out their hole and use a real browser to see my site the way it is intended.

        2) Go through the horrendous pain to make my website viewable in the latest browsers and the MS beasts of past.

        Either way, my clients are automatically out of two of the trifecta attributes instead of just one; time, money, quality.
      • RE: Dealing with the Pain of Giving Up IE6

        @wackoae It will be worthy of attention until it dies. It needs to die already. It was bad when it came out and its even worse compared to todays standards.
    • Yes, time (for you) to let it go

      @statuskwo5 <br><br>So you object to someone writing about a real and intractable problem? Just because you may not have any problems with IE6 (or may not understand the problem in the first place), does not mean that it may not be a HUGE head ache to many others, and still worthy of attention.<br><br>The author is presenting a possible solution to a problem and you object? Get a clue moron.
    • RE: Dealing with the Pain of Giving Up IE6

      @statuskwo5 I'll stop talking about it when IE 6 is no longer used by an amazing 1 in 5 businesses and by almost that many ordinary users. For now, IE6 use is still a real problem. If it were only being used by say 2% of users and businesses, I could drop the topic once and for all.

      • RE: Dealing with the Pain of Giving Up IE6

        @sjvn@... I've got 9,000 PC's on IE 6 and 60 on Firefox. We'll finally get to IE 8 in 45 days but it took me most of the year to convince my company to spend the money (salaries) to make the move. In a down economy, there were more important things to spend the scare dollars on. Once sites started dropping IE 6 support, they started to see things my way. Small companies can easily move from browser to browser but when you have hundreds of suppliers and thousands of web pages to test, you can't be as flexible.
        Georgia Madman
      • RE: Dealing with the Pain of Giving Up IE6

        @sjvn@... Have you seen the browsers statistics for China?
        If I were webdesigner in China I'd be bald and voiceless by now.
  • you like spending my money

    It will cost us 300,000 dollars to redo internal intranet or keep 5 people employed in a company of 40. get over it. IT has to stop meaning spend more money every year
    • It's not going to happen...

      <i>IT has to stop meaning spend more money every year</i>

      Get real. Persuading people to spend more money every year is some IT companies' business model.
    • RE: Dealing with the Pain of Giving Up IE6


      Then you shouldn't have coded your crap to a proprietary browser (IE6) or relied on functions from a crummy OS (ActiveX/Windows).

      You should have coded for a cross platform model and encouraged platform neutrality.

      Now you pay the piper for your poor choices. Perhaps some pink slips are in order for poor choices.

      Stop thinking Windows/IE is the only platform. It's not. It's just the worst.
      • RE: Dealing with the Pain of Giving Up IE6

        Am so bored of hearing this line.
      • RE: Dealing with the Pain of Giving Up IE6

        @itguy08 Windows is not the worst platform. To say that shows your obvious ignorance. yes it was dumb to code for a single platform and a single browser. But its not the worst platform.
    • Charge the original developers

      @russf2001@... Who ever was stupid enough to develop applications targeted specifically for IE6 instead than targeted for internet standards shoudl absorb the cost. I
      • Bingo

        @rarsa <br><br>And what's worse is page developers who don't bother to even let you <i>try</i> to use a different browser to see whether the page works properly and just tell you to shag off if you're not using one of the Big Two.<br><br>Try visiting AT&T's site, BellSouth(dot)com with Opera, where you will find a page titled "Upgrade Your Browser", which says:<br><br><blockquote> offers online features that only work with newer browsers. To shop for our products, manage your accounts, find out more about BellSouth, or to contact us online, please choose one of these browsers:<br><br>Download Netscape Navigator <br>Download Internet Explorer <br><br>If you choose not to upgrade your browser, we regret that our website will not function properly for you at this time.</blockquote><br>Right. You need a <i>modern</i> browser for their page.<br><br>Don't know what it says to Chrome, which annoys me too much to use.
      • RE: Dealing with the Pain of Giving Up IE6

        @rarsa I know, at least we can switch User Agents to fool those sites.

        I've never understood why they block other browsers. That should be My choice. My user experience.
      • RE: BINGO

        @fairportfan "BINGO". Works fine with chrome
    • RE: Dealing with the Pain of Giving Up IE6

      @russf2001@... 300k to redo an internal intranet to work on a newer browser? What kind of trash do you guys have there and what moron gave you that quote. Have your 5 people that your keeping employed recode the intranet.
  • IE 6ux

    From the development point of view, use only hacks for this sh*t ..