NTA Monitor

Latest News

New version of network scanning tool arp-scan released

15th March 2011 A new version of a respected and popular network scanning tool has been released. Read More

Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

1st March 2011 SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor. Read More

Assess risk to manage effects of budget cuts

9th February 2011 Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future. Read More

"Basic security threats not changed in 15 years"

1st February 2011 There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years. Read More

Will IE6 be the next NT4?

All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event.

But it looks like IE6 may become the next obsolete product that is in wide use and has unpatchable security vulnerabilities. IE6 is already eight years old, has numerous flaws that can not be fixed, but is still widely used and it has not even reached end of support status yet.

The problems with IE6 have been known for a long time. As far back as June 2004, US-CERT recommended moving to a different browser as one way to mitigate the security risks, saying:

"There are a number of significant vulnerabilities in technologies related to the IE domain/zone security model, trust in and access to the local file system (Local Machine Zone), the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented as operating system components that are used by IE and many other programs to provide web browser functionality. These components are integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system."

Many other security experts agree. For example, Bruce Schneier said in 2004, when IE6 was the latest version "Don't use Microsoft Internet Explorer, period". And you don't often get such unequivocal advice from a security expert.

Given this, and the fact that there are many alternative browsers, most of which are free, the obvious question is why is IE6 still being used? The reason is because of non-standard extensions that cause some websites that target IE6 to break when using other browsers, even later versions of IE in some cases.

It is clear that those sites that still use IE6 will need to start planning their transition to a safer browser soon. For those organisations who have coded their own web applications using IE6-specific extensions, this will probably require some application changes with the associated cost of making the changes and performing UAT and security testing on the new application. One thing that everyone should note for the future is to avoid the use of proprietary extensions, because these are the real reason that so many people are stuck with an insecure browser.