Dealing with the Pain of Giving Up IE6
I hate, hate IE 6. If I were the CIO of a company that was still running IE 6, which it turns out 20% of businesses still are, I'd blast it out with dynamite. But, some companies, said Browsium CEO, Matt Heller, just can't seem to get rid of IE6. That's why his company came up with an extension that lets you run IE6 inside newer, safer versions of IE.
I'm not crazy about the idea of enabling companies to continue their bad IE6 habit, but Heller explained, "We want to see IE6 go away too. Having spent years working with business customers around the world, it's clear they just can't make that happen without a decent amount of pain. It's not our intent to keep enterprises browsing with IE6 and we believe UniBrows will actually help remove IE6 from the Web."
Heller continued, "As you point out in your article, many companies are still running IE6 - and are tied to it for internal legacy applications that work only with IE6, and updating those apps is costly and time consuming. This is a major reason why many companies have not moved to Windows 7 and IE8-so their employees are forced to browse the ENTIRE web with IE6. With our solution in place enterprises can move to IE8 for 'normal' browsing and use UniBrows to access those internal IE6 legacy applications inside an IE8 tab. Over time, more UniBrows deployments will mean that more external web sites will see only IE8 and IE9, and less IE6, not the other way around."
As for IE6's lack of security, one of the main reasons why I'd toss IE6 out of an enterprise so hard it would bounce, Heller tries to address this. "IE6 is clearly less secure than IE8, so running IE6 standalone, virtualized, or in an IE tab increases the attack surface of a system-this is unavoidable. UniBrows offers mitigations that counteract the increased risk of running IE6, something that standalone IE and virtualized solutions do not. These mitigations fall into four areas:"
- Policy Blending - Opt-In Rules Model - Profiles and Custom Registry, Files, and ActiveX Controls - Exclusionary Rules
Policy Blending: UniBrows begins to reduce the attack surface introduced by IE6 through the "blending" of IE6 and IE8 security policies. When UniBrows is loaded inside an IE tab, the UniBrows plugin passes along the IE8 policies and restrictions to the IE6 browser engine, many of which have remained the same between the two versions. UniBrows takes over where IE6 left off by protecting the IE6 tab from two areas where these policies and restrictions differ: binary plugins and window control. Our plugin sits in between the IE6 engine, the Webpage, and users to intercept potentially dangerous actions by a Webpage (loading an IFRAME, sending content across domains, and installing ActiveX controls) and blocks those actions that do not match IE8 settings and UniBrows rules. In the case of ActiveX controls, IE defers to the IE8 security model by passing the request along to the IE8 control installer.
Opt-In Rules Model: Sites running inside of UniBrows run outside of Protected Mode, much like intranet sites in IE8+ and Trusted Sites in IE7+. To reduce potential attack surface, UniBrows uses rules as an opt-in mechanism; at the most basic level the Rules Configuration Manager provides a layer of protection against compromise. By enforcing the rules as we do, sites can only render using the IE6 functionality when manually configured by the organization. Unlike Google Chrome Frame or similar solutions, there is no ability for the remote site to trigger the rendering switch. Our IE integration is done so that UniBrows can take over rendering when configured to do so, but is completely unexposed the rest of the time - shutting down the attack surface. Rules can also be ordered; this is important for rules that may be subsets of each other or for exclusionary rules (described below). While we do offer the ability to create overly broad rules, such as an 'Internet' zone rule, we strongly discourage that behavior as it provides virtually no enhancements or protections over a standard IE6 installation.
Profiles and Custom Registry, Files, and ActiveX Controls: Another UniBrows security design is part of the new features for Beta 2. In the latest release we have included a feature called 'Profiles', which enable you to create granular system and ActiveX settings for a rule or groups of rules. For example, you can use Profiles to configure a locked down registry as well as define specific ActiveX controls that are to be used for anything matching that rule. From a security perspective, this new feature enables granular control and protections that have never been available in IE before. Profiles even let you control whether DEP/NX is enabled or not for sites in that rule set. Some have described this feature as 'Enhanced Zones', but unlike the Zone Model where you group sites and have limited settings control, you can define as many Profiles as you would like and make the settings very specific.
Exclusionary Rules: Rules can be defined for the 'default browser', meaning you can use our Profiles feature to make custom settings for IE8 and lock it down even further. Profiles using the "default browser" as their browser engine can be used to enhance the IE8 settings and extend configuration options to a deeper level of security than currently available from any other solution.
Lastly, UniBrows was designed around the concept of 'Steady State' meaning that if a malicious control or user attempts to circumvent our mitigations and use the loosened restrictions to change IE settings/policies or even changes to the system itself, these changes only exist for the lifetime of the process. For instance, if I load an Ax control that uses some security flaw (buffer overrun, for example) in IE6 to run a command like "del /s /q c:\*" (delete all files on the c: drive), our process makes the control think that the command was successful when, in fact, nothing really happened.
I'm impressed by Heller's effort. At best though I see UniBtows as a stop-gap. The smarter move is still to bite the bullet and kill off your company's antique IE 6-specific Web applications for up-to-date multi-Web browser applications. That said, if you really can't give up your old IE 6 applications, UniBrows for $5 per year per user, is a better idea than just continuing to run IE 6.