Microsoft asks users to abandon IE6, kinda
Much has been written about the recent hack targeting Google, but somewhat lost in the shuffle is that the attack specifically targets Internet Explorer 6 on Windows 2000 and Windows XP. Based on their analysis of the attack, Microsoft’s Security Research and Defense blog urges users to upgrade to a newer platform or enable DEP (only available on Windows XP Service Pack 2 or later).
In their blog post, Assessing risk of IE 0day vulnerability, Microsoft outlines the potential impact on the main OS and browser combinations.
| Windows 2000 | Windows XP | Windows Vista | Windows 7 | |
| Internet Explorer 6 | Exploitable | Exploitable (current exploit effective for code execution) | N/A (Vista ships with IE7) |
N/A (Windows 7 ships with IE  |
| Internet Explorer 7 | N/A (IE 7 will not install on Windows 2000) |
Potentially exploitable (current exploit does not currently work due to memory layout differences in IE 7) | IE Protected Mode prevents current exploit from working. | N/A (Windows 7 ships with IE |
| Internet Explorer 8 | N/A (IE 8 will not install on Windows 2000) |
DEP enabled by default on XP SP3 prevents exploit from working. | IE Protected Mode + DEP enabled by default prevent exploit from working. | IE Protected Mode + DEP enabled by default prevent exploit from working. |
In spite of this, Microsoft still has no plans to drop support for IE6, leaving it up to the individual to upgrade if they desire. Because of this, there are still many major corporations that have not yet upgraded from this now ancient browser – IE 7 was released over 3 years ago.
Even though this event is likely to not change their behavior, if upgrading the operating system is not an option, they should at least consider deploying Firefox and the awesome extension IE Tab for those times when they just have to use Internet Explorer.
Also – Google doesn’t get a free pass here. How is it that the maker of the most secure browser still has workstations running IE6?
Related posts:
- Another Internet Explorer Vulnerability (…sigh) Well, here we are again. A few weeks after Microsoft...
- 10 very annoying system defaults I was reading 10 seriously annoying default configurations at TechRepublic...
- Tech News – Internet Explorer 8 Edition Internet Explorer 8 Released. Improvements include: Smart Address Bar, Tab...
February 2nd, 2010 at 5:17 pm
Seeing these kind of posts reminds me of just how technology truly is everywhere in this day and age, and I am 99% certain that we have passed the point of no return in our relationship with technology.
I don’t mean this in a bad way, of course! Societal concerns aside… I just hope that as memory becomes less expensive, the possibility of transferring our memories onto a digital medium becomes a true reality. It’s one of the things I really wish I could encounter in my lifetime.
(Posted on Nintendo DS running R4 SDHC DS qqPost)
February 4th, 2010 at 5:18 pm
[...] here we are again. A few weeks after Microsoft pushed out a critical patch to all versions of Internet Explorer, Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies provided details [...]
March 10th, 2010 at 8:45 am
Забавно.
April 6th, 2010 at 1:55 pm
Thanks for keeping great posts!