Virus Bulletin is reporting that a recent survey it conducted found that about one out of five people are still using the dangerously-out-of-date version six of Microsoft’s Internet Explorer.
There are probably a number of reasons for this:
— They are using IE6 at work with legacy systems that require IE6 (or IT never got around to updating the company’s browsers.)
— They are using IE6 at home and don’t know that IE6 is frighteningly insecure.
— They are using IE6 at home and don’t know that there is such a thing as an update to browser software.
— They are using IE6 at home and don’t know there is such a thing as computer security.
VB said: “The browser has come in for heavy criticism due to numerous security flaws and its use of outdated technology. Indeed, in January both the French government and the German government issued advisories to computer users recommending that they switch to a different web browser, after it was discovered that IE 6 contained a serious security flaw that could be exploited by hackers and cybercriminals.”
They also wrote: “In VB’s poll, 15% of respondents said they were running the browser at work, indicating that, for many organizations, upgrading is not a priority – whether that is for reasons of compatibility with legacy applications or simply due to a lack of urgency in their IT departments.”
Another story that is in the top of the news today has some numbers that show just how insecure IE6 is when it comes to drive-by downloads of malcode.
Security blogger Brian Krebs, writing about a new free tool that will stop drive-by downloads, quoted SRI International researchers who have created the Block All Drive-By Download Exploits (BLADE) freeware.
SRI made public statistics from 5,154 drive-by download infections that were blocked by BLADE. “…because the tool allows the exploit but blocks the installation of the malicious payload, the group has been able to collect a great deal of interesting stats about the attacks, such as which browsers were most often attacked, which browser plug-ins were most-targeted, and so on.”
Exploits blocked were in:
— Firefox: 730 (14%)
— IE8: 900 (17%)
— IE7: 1202 (23%)
— IE6: 2322 (45%)
Clearly, the bad guys behind the drive-by sites are going after IE6
AND, keep in mind, drive-by downloads are just one type of exploit that can take advantage of an insecure browser.
IE6 is a Web development pain
IE6 is not only a horrible security risk, but the browser – which first came out in 2001 – is a pain for Web developers to write pages for. So, a group of developers are taking the situation in hand and adding a notice to their sites to tell IE6 users to upgrade. As a matter of fact, they’ve put up a web site (IE6NoMore.com) which offers code that can be downloaded so OTHER developers to do the same. The code presents a notice which looks like this (in English):
IE6NoMore.com offers these notices in seven languages and says they are going to offer similar ones shortly in Arabic, Thai, Chinese, Farsi, Hungarian, Dutch, Polish, Danish, German, Hebrew and Russian.
I think these folks are serious.
Site IE6NoMore.com here: http://www.ie6nomore.com/
Virus Bulletin story here: “Nearly 20% still running IE 6”