Websites start action to ask users to drop IE6!

[polonus]

Hi malware fighters,

Even MS agrees that this is a good action. Everyone should leave IE6 and either use an alternate browser like Fx etc. or upgrade to IE7. 20% of users still use IE6, because they do not know any better and are fully unaware or because their firm still works the older browser from 2001. Time for saying goodbye to insecure IE6: http://www.vincenthasselgard.no/2009/02/19/give-ie6-users-the-message-to-upgrade-or-change/

The action has been spotted to run on Norwegian, Australian and Indonesian sites. When will American websites run it, because there it can have the greatest impact...

Also an international Wiki has been started: http://ie6.forteller.net/index.php?title=Main_Page

polonus

[DavidR]

I still have IE6 installed on my XP Pro SP3 system (I never browse with IE) and it is still supported by security updates, the day that stops then perhaps I will update my system to whatever flavour of IE is current, probably IE8. But I still won't use it as my browser of choice unless it is totally independent of the OS where an exploit of the browser could effectively mean an exploit of the OS activeX, BHOs, integrated into the OS.

However if a site was to be so brash as to 'tell' me what browser to use, it wouldn't be long for this life in my favourites/bookmarks, etc...

MS might agree, because supporting IE6 is obviously an impact for them, IE7 is no panacea as that too is commonly exploited, so the next logical step I would have thought for those same sites to say no IE

[.: Mac :.]

I think is about time websites started to warn about IE6. IE7 has been around long enough for MS to fix most of the issues. Supporting IE is hard enough when there is one version for developers to worry about.

For example Apple's online Mail/Calendar/Storage service called MobileMe does not support any version of Internet Explorer. If you go there you are greeted with a message saying to switch to Firefox or Safari.

http://www.flickr.com/photos/rmohns/2780772267/

[DavidR]

The problem being MS are obligated to support IE6 as it is an integral part of the OS (my whole point about IE and exploits that could escalate to OS) and since IE6 shipped with XP Home and Pro, it has to be supported.

The XP Home is on extended life cycle but the XP Pro has a longer life cycle so they will have to support IE6 for some while yet.

I don't support your theory that "IE7 has been around long enough for MS to fix most of the issues." There are fresh vulnerabilities continually reported and there was a very recent patch for IE7 specifically and guess what IE6 and even IE5 were reported as unaffected software to what was being patched in IE7, progress.

[.: Mac :.]

The problem being MS are obligated to support IE6 as it is an integral part of the OS (my whole point about IE and exploits that could escalate to OS) and since IE6 shipped with XP Home and Pro, it has to be supported.

The XP Home is on extended life cycle but the XP Pro has a longer life cycle so they will have to support IE6 for some while yet.

I don't support your theory that "IE7 has been around long enough for MS to fix most of the issues." There are fresh vulnerabilities continually reported and there was a very recent patch for IE7 specifically and guess what IE6 and even IE5 were reported as unaffected software to what was being patched in IE7, progress.

Im not saying IE7 has been around long enough for them to fix most of the security vulnerabilities, there will always be more security vulnerabilities found. Im saying that most of the basic stability and performance bugs have been fixed to the point where there is little reason to still be using IE6 (unless the company IT staff mandated it for some reason)

[Mr.Agent]

In my opinion all user would got another browser with IE like Safari,Firefox or any other browser

I agree with you

[polonus]

Hi Mr.Agent,

Agree with you there, well as long as MS has not launched the proposed new Gazelle browser, a browser that comes no longer integrated in the OS and has sandbox like qualities, so you could throw infections out with the browser session. Re: http://research.microsoft.com/pubs/79655/gazelle.pdf
Eventually all browser should land at such a concept else there will be no defense left at the ever intensifying online malware flood that is getting more and more aggressive and advanced, and where malcreants use every exploit against the major browser and against the "broken" protocols - drive-by downloads, droppers, etc. etc.
At the moment the only solution here is a browser that does not allow scripts to run under certain circumstances, so secure is Firefox or Flock with NoScript extension, but this conception is way over the heads of the average nanny and granny so still whole armies and navies will get their computer turned into zombie machines to propel cyber-malware and spread it further,

polonus

[Lisandro]

A browser that comes no longer integrated in the OS and has sandbox like qualities

A little bit was done running IE on protected mode on Vista and UAC features, imho.

[polonus]

Hi Tech,

The whole situation can only change, when this all is done automatically, because the average users do not understand what they are up against, and the real protection policy  is way over their heads, I cannot see the average user install NoScript without later getting him/her to the help-desk with the problem that such and such is not functioning fully. These protection methods are for the more advanced user. So the average user should not worry about update, upgrade, patch and yes using the appropriate rights (not full admin rights off-course) or the application must be build in such a way that you can flush it right with the malware and you will start with a clean browser slate  every time you start it up or those parts of the browser that can infect you are  running as a virtual machine, and cannot hamper the Operational System.
At the moment we have a situation where you can patch after patch endlessly, websites have content from whatever source you can mention and the webmaster is not security savvy enough to prevent browser users from infecting them with drive-by-downloads, droppers, file-infectors, malware redirects etc. etc. , most Internet protocols are broken, SSL has been circumvented, and a whole litany of mishaps. Actually the whole Internet is hanging together by "rubber bands" so to put it, but that is the actual situation and we are on the verge of total collapse....so the solutions should be a drastic one, but of so simple a nature that a complete nitwit & n00b cannot tamper with them, the security should be 100% "idiot-proof" and complete,

polonus

[Lisandro]

The security should be 100% "idiot-proof" and complete,

Fully agree... and also that a non-OS-integrated browser will be better. I use Firefox with NoScript

[Alan Baxter]

However if a site was to be so brash as to 'tell' me what browser to use, it wouldn't be long for this life in my favourites/bookmarks, etc...

I agree in the sense that I won't be browbeaten into abandoning a browser.  But I never minded those messages that were a gentle hint, e.g. "Best if viewed in Netscape x.x or IE x".

The whole situation can only change, when this all is done automatically, because the average users do not understand what they are up against, and the real protection policy  is way over their heads, I cannot see the average user install NoScript without later getting him/her to the help-desk with the problem that such and such is not functioning fully.

The average users should not have to understand advanced security to use the Internet safely.  I think for many users that's already the case.  I have some elderly friends and relatives that find the Internet indispensable, especially email and the web.  They know about not opening unexpected email attachments or clicking on links in an email from their "financial institution".  They don't surf dodgy sites or install software on the PC that will "enhance their Internet experience".  They never have a problem with malware.

Software updates should be prompt, automatic, and relatively seamless.  Windows and Firefox provide reasonably good examples of this right now.  IE and Firefox should be secure with default settings and no add-ons.  And no, building NoScript into Firefox is not the solution.  NoScript's developer is working on a different approach.  http://hackademix.net/2008/12/20/introducing-abe/

the solutions should be a drastic one, but of so simple a nature that a complete nitwit & n00b cannot tamper with them, the security should be 100% "idiot-proof" and complete

I agree.  And we're getting there, polonus.  I think it's going to get better, not worse.