Champagne bottles were popping this week as victory was declared in the war on IE6. I say not so fast. The effort to rid the world of IE6 has been going on for some time but a couple of recent high profile events have brought this issue to the masses. The first was Operation Aurora, the Advanced Persistent Threats that allegedly came out of China and infiltrated Google, Adobe and 30+ other large corporations. While the vulnerability used to install the Hydraq Trojan at the core of the attack affected all supported versions of IE, the exploit leveraged, only worked against IE6. Why? Because IE6 lacks advanced security protections found in IE 7 & 8. The second story making the rounds this week is that Google has taken a stand and starting next month will phase out support for IE 6, starting with Google Docs and Google Sites. I applaud this move. Only when end users can't access their favorite sites will we finally see an across the board upgrade that should have happened years ago.
Enterprises argue that there is no urgency to upgrade beyond IE 6 as it is still a supported browser. I argue that as a CISO, you're flat out negligent if you haven't fought to get IE 6 off of your network. Just because a product is still supported doesn't make it secure.
Yes, Microsoft will release security patches when IE 6 breaks, but IE 6 lacks numerous security features found in IE 7&8. Features like DEP, ASLR
, malicious URL/phishing block lists
protections. This is why IE 6 is targeted by attackers, because it is the low hanging fruit in the browser world.
One thing is bothering me though. I keep hearing how IE8 is making great strides and that IE6 is finally dying off. I read numerous articles this week covering the NetApplications
January 2010 report, which revealed how IE8 has now overtaken IE6 in terms of market share. Whenever I see such data I ask myself what the sample population is. Generally, such data is collected from server logs. As such, it represents a broad spectrum of end users, including both corporate and personal web traffic. I have long believed that individuals are more likely to upgrade web browsers than corporations. Afterall, we all want the latest features and software upgrades are just a click away. Corporations on the other hand don't generally allow users to decide what software runs on their desktop and from a security perspective, they shouldn't. They also tend to focus on concerns over breaking functionality, often to the detriment of security. What I'm interested in is seeing the percentage of browser market share for only corporate users. This is something that Zscaler is in a strong position to answer. We sell an enterprise offering, so our clients tend to be corporations or government entities. Being a SaaS offering, any web capable device can utilize the Zscaler cloud and certainly some enterprises have traffic from user owned/controlled devices (personal laptops and smartphones) running through the cloud as well, but it's fair to say that overall, our view of the world is primarily enterprise traffic as opposed to personal traffic. I therefore ran a query to determine the results of web browser usage on our network for all of Q4 2009. As you can see, our results are very different than the results from NetApplications. From October to December 2009, 72.21% of the traffic that we saw came from IE browsers. The pie chart breaks this traffic down to reveal the individual versions of IE encountered. Not only is IE6 still in the lead but IE8 is barely on the map, a finding vastly different from the NetApplications stats which show IE8 in the lead. My conclusion? Enterprises are not moving away from IE6 as quickly as the web population as a whole.
Let's hope that recent events such as Operation Aurora and Google's stand to drop IE6 support cause enterprises to better understand the urgency of this issue. Let's further hope that Microsoft puts IE6 out to pasture once and for all.