NTA Monitor

Latest News

Living with threats

1st August 2010 Back in 2004, Bill Gates predicted that spam would be a thing of the past within two years. As we all know now, and quite a lot of people predicted at the time, far from being a solved problem, the volume of spam has continued to increase. Read More

Web application security goes from bad to worse in many sectors

27th July 2010 NTA Monitor's 2010 Annual Web Application Security Report analysed the data gathered from web application security tests performed for a wide range of industry sectors over a 12-month period... Read More

IT Managers get to grips with Internet security issues

4th May 2010 According to NTA Monitor's 2010 Annual Security Report, the average number of Internet security vulnerabilities afflicting organisations has fallen.. Read More

Responsible Patching

1st January 2010 Microsoft's response to the "zero day" exploit that was used in the cyber attacks against Google shows that software vendors still have a lot to learn when it comes to responding to vulnerabilities. Read More

Will IE6 be the next NT4?

All penetration testers will remember the long tail of Windows NT 4.0, and how this operating system continued to be used long past the point when security updates stopped at the end of 2004. For many years the presence of an unpatchable NT4 server was a common issue in a penetration test report, and it is only now, almost five years after security support ended, that finding an NT4 system on a network is becoming a rare event.

But it looks like IE6 may become the next obsolete product that is in wide use and has unpatchable security vulnerabilities. IE6 is already eight years old, has numerous flaws that can not be fixed, but is still widely used and it has not even reached end of support status yet.

The problems with IE6 have been known for a long time. As far back as June 2004, US-CERT recommended moving to a different browser as one way to mitigate the security risks, saying:

"There are a number of significant vulnerabilities in technologies related to the IE domain/zone security model, trust in and access to the local file system (Local Machine Zone), the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. These technologies are implemented as operating system components that are used by IE and many other programs to provide web browser functionality. These components are integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system."

Many other security experts agree. For example, Bruce Schneier said in 2004, when IE6 was the latest version "Don't use Microsoft Internet Explorer, period". And you don't often get such unequivocal advice from a security expert.

Given this, and the fact that there are many alternative browsers, most of which are free, the obvious question is why is IE6 still being used? The reason is because of non-standard extensions that cause some websites that target IE6 to break when using other browsers, even later versions of IE in some cases.

It is clear that those sites that still use IE6 will need to start planning their transition to a safer browser soon. For those organisations who have coded their own web applications using IE6-specific extensions, this will probably require some application changes with the associated cost of making the changes and performing UAT and security testing on the new application. One thing that everyone should note for the future is to avoid the use of proprietary extensions, because these are the real reason that so many people are stuck with an insecure browser.