CNet News ran a story this morning citing Forrester statistics on the web browsers that are typically deployed within the corporate enterprises. One statistic in particular made my jaw hit the floor:
"remarkably, 60 percent of enterprises are still on IE 6..."
Internet Explorer 6! Now keep in mind that there is no doubt hidden details behind that statistic as it seems a bit high, but regardless, to hear that more than half of enterprises still have IE 6 deployed at some level is truly concerning.
Let's start off by looking at some statistics courtesy of Secunia:
The 120 vulnerabilities in the chart only cover the last seven years. The full scope, since IE 6 came to market is actually 136 advisories covering a total of 147 individual vulnerabilities.
Even more concerning is the fact that as of today 22 of the advisories relate to vulnerabilities that have not yet (or never will be) patched. Combine that with the fact that a company which deploys an eight year old browser is unlikely to be lightning fast to deploy patches and it's not difficult to understand why malicious code continues to have phenomenal success by simply targeting known vulnerabilities.
Personally, I am less concerned about the vulnerabilities that IE 6 may have had in the past (what is broken can be fixed) and more concerned about what the browser lacks. Microsoft has done an admirable job over the years of adding security functionality to their browser. I have publicly applauded Microsoft for being the first major browser vendor to deploy protections against reflected Cross-Site Scripting (XSS) attacks. Let's look at major security protections added after IE6:
Internet Explorer 7
- Phishing filter
- ActiveX opt-in
- Extended Validation SSL certificate support
- Malicious URL filter
- XSS filter
- Data Execution Prevention
The aforementioned security controls are essential, with some, such as phishing and malicious URL filters having now become standard controls across all major desktop browsers. Not upgrading end-user systems to newer versions of IE, even when routinely patched in a timely fashion, leaves enterprises open to significant risk. Attackers have shifted their focus away from the server to end to target users via the web browser and it's no wonder when considering the security gap left by holding on to a browser as dated and broken as IE 6. I agree with others that it's high time that Microsoft force a migration by declaring an official end of life for IE 6.
Why would any professional, responsible for IT security ever deem it acceptable to have a browser in the enterprise that leaves such a gaping security hole? They wouldn't. When I see statistics such as this it is clear to me that security teams lack control to make decisions related to the applications which exist within the enterprise. IE 6 is running in 60% of enterprises for compatibility reasons, because some legacy intranet site requires it to stay alive. There can be a whole host of reasons why changes haven't been made to alleviate the compatibility issue which is preventing a browser upgrade but in the meantime, enterprise security suffers.
Should the org. chart be changed to give the security team a greater voice? Perhaps. That can however be a long drawn out political battle with no guarantee of success. What will produce immediate results? I don't think I've ever heard a better argument for deploying security controls in-line, to stop threats before they reach the browser. My bias is clear and I don't care if you deploy an appliance, MSSP or cloud based solution, but such controls are an important component of a defense in depth approach, especially when you can't control what resides on the desktop.