back to article New hacker peril for older IE versions

Internet Explorer users are at risk from a newly discovered and unpatched vulnerability in older versions of Microsoft's browser. A security flaw involving a dangling pointer in Microsoft's HTML Viewer (mshtml.dll) creates a possible mechanism for hackers to crash the browser and inject malware, providing they can trick marks …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Coat

    Oh crap

    So our "lead developer" insists on using IE6 as "It's the best one" and won't allow us to update.

    Did I mention, that I was told to give him domain admin rights on his user, not power user. Not even local admin rights but DOMAIN ADMIN rights.

    Is it time to find a new network to manage?

    Mine's the one with the Opera badge on it.

  2. Anonymous Coward
    Stop

    @why the heck is anyone still using IE6 anyway?

    Well, there are two reasons.

    1. Most home users haven't got a clue what IE6 even means.

    2. Most businesses don't want to spend the huge amounts of money that testing an upgrade to a new browser/version would cost, when the one they have works well and is protected by company firewalls/whitelists/other blocking measures anyway.

  3. Bilgepipe

    IE6

    Still stuck with IE6 here. Well, I snuck Firefox onto my machine, but I *should be* stuck with IE6...

  4. Anonymous Coward
    Grenade

    Why IE6?

    Every enterprise I know has a half-baked, poorly-designed, badly-implemented, legacy CRM system that is 'company critical' but will never be upgraded. IT departments are forced to inflict IE6 on their users because application vendors won't provide official support for much else. Try having to support several CRM systems at various versions (some legacy) as well as Oracle applications and you quickly find that IE6 is the only official browser supported.

    Yes 'most' of it works on Firefox but then 'most' isn't good enough when on any random day a senior manager has browser/application compatibility issues.

    Don't get me started on Java compatibility between this type of application mix and the security implications. (Yes Oracle I am talking to YOU)

    1. Anonymous Coward
      Alert

      Spotted

      I smell another NHS worker here!

      we've the same issue, 4-5 different applications just don't work or are not supported on IE7-8 or alterntives.

  5. sath
    Alien

    As a work-mate has just pointed out

    Its clearly Microsoft trying to get people to upgrade to their IE 8, considering IE8 is considered to be in the clear but not 6 or 7

  6. Anonymous Coward
    Black Helicopters

    Why is anyone still using IE6?

    Because of bureaucratic inertia. I work for a large, over-stretched and under-resourced government department.

    To re-assure the powers that be, at the highest levels, that a new browser would still work with all our legacy applications, and would be at least as secure as our current specially crippled version of IE6 would take a significant investment of time, money and personnel, all of which are in rather short supply right now. (We've just had a departmental-wide moratorium on coffee in meetings as a cost-saving measure.)

    Anonymous and helicopters because, for all that the IT here is quite painful at times, I still want to keep my job.

  7. Anonymous Coward
    Anonymous Coward

    @why the heck is anyone still using IE6 anyway?

    ... because our IT dept cannot roll-out anything else due to apps that were written for IE 6 , combined witha total hatred of anything not MS such as Firefox.

    Do we have a virus / malware problem.... yep!!!

  8. shyted
    Linux

    ie 6

    IE 6 would be those on windows 2000. Still used on half the machines where I am and perfectly capable, course those machines are also running firefox as default.

    1. Petter

      Lumbered with I.E. 6

      How right you are. I have two machines, one running XP, the other 2000 pro. Both machines carry Sea Monkey and Firefox, but some software, such as Power Producer for my video camera, insists on access to I.E. Worse still, it wants IE 6, or later but Windows 2000 came with IE5. This I could upgrade to 6, but no higher, as Microsoft says it isn't compatible. So how come the very latest versions of Firefox and Sea Monkey don't have "compatibility" issues? Ah well. My 2000 machine is getting ready to retire, after seven years of reliable service and countless hardware upgrades, so I guess I'll be joining the ranks of those who have jumped right over Vista - twice. And my first priority will be to over-ride I.E 8, 9 (or quintillion) with Mozilla - and over-ride any pre-installed copies of office with good old OpenOffice.org

  9. Simon 6
    Grenade

    We need this!

    MS stopped supporting IE6 ages ago.

    A growing number of web sites and web designers have stopped supporting IE6

    The world would be a MUCH better place without IE6

    If it needs worms and viruses to force people to dump it then so be it. You don't even have to upgrade, just install a better and more secure browser which still gets updated with security patches (Firefox, Opera, Safari etc).

    Grenade because IE6 should have been blown to smithereens years ago...

  10. TB

    why the heck is anyone still using IE6 ...

    ... (why the heck is anyone still using IE6 anyway?)

    Because MS will not legitimately allow an upgrade to a higher IE version on Windows 2000 machines.

    So, I suppose the next question is why run Windows 2000? Which is easy to answer: it is less bloated than XP, boots faster and rarely crashes, it can go months between re-boots ! On the Windows 2000 machine I normally use Firefox, but occasionally when there is a badly formatted web page or one which REQUIRES activeX the old IE6 has to be called into action (then closed down quick). I have XP machines too, but didn't like Vista at all. I will try Windows7 once I've dug a bit deeper into the licensing and DRM implications.

  11. Anonymous Coward
    WTF?

    Anyone for win 2000

    Cause we're stuck with IE 6 whether we like it or not. Could use firefox though that brings in it's own bloody issues of keeping it up to date as mozilla doesn't see fit to provide an .msi and as you have to to have elevated rights to patch firefox its an arse pain.

  12. Petey
    FAIL

    @anonymous coward who talks about Oracle

    If you read up on this at ALL you would realise that Oracle addressed Java compatibility issues ages ago.

    Get a half-decent DBA who can update the JRE on your Oracle Apps server and you will never be stuck with IE6 or any other crap browser again.

  13. Simon.W
    Alert

    IE6 the bane of my life...

    but the darling of lazy internal developers and external vendors.

    'fraid to say we have swathes of PCs that required to stick with IE6 because the web apps just don't work with anything else.

    One would think that when the decision is made to use a particular architecture for web apps, such as Internet Explorer, then the developers would follow the life cycle. But oh no, it's not to be - who knows why, they've years to plan a change, probably that most of them catch up with sleep when in the office ;)

  14. Anonymous Coward
    Grenade

    Internet Explorer users are at risk

    "Internet Explorer users are at risk" - yep, that's as far as you need to read. Heh-heh (waits for flames).

  15. Anonymous Coward
    Anonymous Coward

    @Anonymous Coward

    Oracle has supported >IE6 and FF for a long time. The problem is in getting businesses to spend time/money applying/testing the patches to enable that support.

  16. Anonymous Coward
    Anonymous Coward

    why the heck is anyone still using IE5.5 anyway?

    ...Perhaps because I have better things to do with my money that buy new computers every three years because MS et al are determined to have people chace the latest "big shiny".

  17. Octopoid

    @Perhaps because I have better things to do with my money that buy new computers every three years

    What on earth has that got to do with IE5.5?

    IE8 is considerably faster and more effecient - it'll run way better on old machines.

    Try it - you'll find the web starts actually working properly again.

  18. Anonymous Coward
    Anonymous Coward

    Keep the focus where it belongs

    ".. because our IT dept cannot roll-out anything else due to apps that were written for IE 6 , combined witha total hatred of anything not MS such as Firefox."

    "If it needs worms and viruses to force people to dump it then so be it. "

    and others bemoaning lazy developers.

    You need to think about IT in a large corporation, not just as a home user. They are completely different things and from some of the quotes on here not everyone understands that.

    To some it is as simple as "just download <insert browser of choice> and the world will be a better place. That might work for home and novice users. However, corporate environments are usually (should be!) pretty locked down and users can't do that. Only the IT department can do that and they were involved in commissioning applications years ago, which they were assured by MS and others that the best way to future proof was to code to IE6 which was ubiquitous. Of course it became apparent that IE6 despite being ubiqitous did not conform to standards other than the MS "extended" ones, which means standards based browsers of any sort now will often not work correctly with an application developed for IE6.

    Of course, the apps *should* have been coded to work with standards, but then they would never have worked with IE. So we are left supporting legacy applications that only work with IE6. As MS have actually attempted to support some standards in the later versions of IE, then so those later versions of IE do not always support pages writen for IE6 either. You can sometimes get away with setting compatibilty mode which was paradoxically introduced to make the standards compatible browser INcompatible with the standards in a similar way to earlier versions of IE in order to attempt to provide some backwards compatibilty - always overlooked by MS.

    Now those same people are being told to re-write their applications to get away from that crummy old browser (remember - the one that was going to provide longevity and standards if only you would write your apps to work with it?) and write them some other way that will provide longevity and standards. We promise we won't say the same again to you in a few years, and drop your support, honest.

    I agree with AC above:

    "...Perhaps because I have better things to do with my money that buy new computers every three years because MS et al are determined to have people chace the latest "big shiny".

    It is all about clever marketing, and the people who harp on about getting the latest browsers/OS are sadly being led by the nose by the marketing types, forgetting that IE6 on WIndows 2000 was once the latest browser/OS and that it would save us all.

    It's like Groundhog day.

  19. Anonymous Coward
    Gates Horns

    Still no excuse

    Got to use IE6 for your intranet? fine.

    But DON'T use it for anything else. Make a white-list that includes nothing but your intranet/crappy CRM software etc. Then use a real browser for the real internet.

    It's so simple that even you wintards have to agree it's a good idea.

  20. Nathan Williams
    Grenade

    @AC using 5.5

    If you are--as I suspect--a troll...then well played. If not, well then that's just...sad.

    IE 5.5 came out in 2000, and the only OS that IE 5.5 runs on that cannot also run at least IE 6 is Windows 95. If in the past TEN YEARS you couldn't be arsed to purchase a machine capable of running anything beyond Windows 95, then you deserve every bit of the torture you're putting yourself through. Penny pincher or not, it's time for an upgrade. It doesn't need to be the shiniest box on the shelf, but it should be a machine capable of running an operating system--be it Microsoft or not--that was written this millennium. Forget security--do it for your own sanity!

  21. Tim Jenkins

    Trick or Treat?

    "...providing they can trick marks into visiting maliciously constructed sites..."

    I know you're just using similar wording to that which Microsoft and others spout when they are forced to acknowledge flaws in their products, but in the real world isn't it rather more likely that this exploit (like many others) is deployed via hostile code injected into otherwise legitimate sites?

    The idea that an infected user must have been 'tricked' into going somewhere dodgy (and is by extension at least partly culpable due to their gullibility) is just an attempt by the originators of the vulnerable OS/browser/app to try and shift some of the blame, and repeating it smacks of lazy journalism...

  22. takuhii

    Here's a chance to dump IE6

    Fix it for IE7 and tell everyone to upgrade, IE^ is the worst browser on the planet and an absolute a*se to code for!!

  23. Anonymous Coward
    FAIL

    Wrong question...

    "Why is anyone using Internet Explorer?" is the correct one. It doesn't matter what version, they are all out-of-date, crippleware and it looks like IE9 is not going to make any difference to that.

  24. Anonymous Coward
    Stop

    Windows 2000

    Bring out IE8 for Windows 2000 and I'll upgrade, otherwise MS should just STFU.

    I use Firefox for everything except work, where I HAVE to use IE (due to stupid client's web site design).

  25. webster phreaky ate my iphone
    Happy

    Hey! Don't knock IE6!

    Some of us will miss needing to know the various bugs in IE6 when it does finally bite the dust. (Personal fave, float and margin in the same direction doubles the margin size, fixed by using display inline! Classic!). Anyway with (I believe) ~40% of corporate users still on IE6, it ain't disappearing anytime soon.

  26. Anonymous Coward
    Anonymous Coward

    @Trick or Treat?

    Hear hear! My thought exactly.

  27. Anonymous Coward
    Anonymous Coward

    Netscape 4 - A Warning From History

    Do you remember how NS4 lingered like a particularly bad smell whilst we all dreamed the everyone would upgrade to IE6 to make our lives easier?

    Well expect more of the same with IE6. Infact, expect worse because this time there are more computer systems out there that are deemed to be running happily as they are, and there is no Y2K-Bug opportunity to sweep what's left under the carpet under the pretence of a necessary major systems upgrade.

    IE9 and the other browsers need to create new vital functions that save businesses money, only then will they switch. SVG isn't it because Flash already works. Acid3 isn't it because bosses only care *that* it renders, not *how* it renders. PNG isn't it, firstly because you can already just flatten your layers in Photoshop and add all those shadows and transparent effects as images, and secondly because IE already has proprietary transparency that works. XHR works since IE5 - after all, they invented it, so no benefits there.

    So, why should a company upgrade from IE6 is it's been working for the last decade and still works now? McDonalds's ketchup isn't as high quality as Heinz Organic, but they still use it - because it's cheaper and they don't want to spend more money on something that isn't going to make a return.

  28. Richard 102
    Alert

    Lead

    "Internet Explorer users are at risk from a newly discovered and unpatched vulnerability in older versions of Microsoft's browser."

    The heck you say.

  29. Kevin (Just Kevin)
    Boffin

    (why the heck is anyone still using IE6 anyway?)

    Think about a large corporation with outsourced IT systems - CRM, Internal Staff systems, etc. They cost hundreds of thousands of dollars to upgrade. Maybe more once you include all the labour and testing.

    Now make sure they all work on 50,000+ PC's running different combos of applications (let's assume we're only talking about the official ones). Do you spend the fortune of money to fix something that isn't broken (from the point of view of management, not geeks) hoping IE6 continues to work and then work on the roll-out of a new browser to 50,000+ machines. Or do you have to synchronise the two?

    As "Keep the focus" said above, it's much harder in BIG IT environments. We only recently shut down our last official NT box (I'm sure there are still some out there). XP+IE6 is our standard install. And Office2003. They're currently looking at Win7+IE8 for some time next year but it's a HUGE undertaking. There's a trial going on of Offie2007. We're over 6 months (maybe more) into replacing our remote access solution because several legacy apps don't work on the new one (which is so much better than the previous ones).

    I stopped with IE7 on my machine and now run FF or Chrome because IE8 is cr*p at memory management -my machine just starts thrashing a half hour into my day as IE8 tries to page all those duplicate copies of its megabloat in and out. IE7 takes about 400MB, IE8 takes up 300MB per instance and get half a dozen of them.

    Now solve that for 50,000 other installs. It's hard. It's takes time. We bitch and moan about it in the trenches but when you stop and think it through, you get it.

  30. JC 2

    Why IE6?

    Simple really, once upon a time ago everyone used it. Those who knew what they were doing developed workarounds and safe computing practices, unlike those who feel it's a big change in their security to move on.

    A hint about that: No matter how insecure your box might be, you don't have to use the same environment to browse the net and open email as you use for banking and online purchases can use one-use credit card numbers.

    PC gets infected, nothing beats a full system backup and restore. Takes less time than just doing a full virus scan these days and then there's no question whatever it was is gone. There will always be vulnerabilities, and till MS is dethroned running the latest IE isn't an answer to security so let's call it for what it is:

    Some people value the new features in IE7 or 8, and some people don't. Some feel newer is better in a general kind of way, and others wait for need-based upgrades. They run IE6 because their system shipped with IE6. They'll run IE8 when they buy their next PC that comes with IE8 on it.

    The rest of us will use Firefox... gotta luv those add-ons.

  31. Mark Simon

    @why the heck is anyone still using IE6 anyway?

    No Reason.

    It may not be the individual users' fault, but any IT department which is still geared toward IE6 is run by morons.

    In fact gearing your intranet towards any specific browser is asking for trouble, and towards IE is asking for double trouble.

  32. dreamingspire
    Happy

    I'm with...

    ...TB@12.25:Firefox normally, IE6 when I have to use IE, but main systems are XP. But will have to pension off that W2K system soon as support for its s/w dwindles. So I'm dipping my toe in W7, mounted on one of those bargain basement systems that Morgans used to sell.

    One use for the W2K system is booking coach tickets by Nat Express: using Firefox with Noscript on XP fails at the transfer to the payment function: XSS use is reported and the transaction gets blocked. Rail bookings on other sites (those using Trainline s/w) go through OK on XP.

  33. Al fazed
    FAIL

    browser bollox

    @Nathan Williams,

    constantly upgrading my browsers and OS creates anything but sanity, where have you been ?

    Counting since Win 3.1 there have been six new Microsoft Operating Systems, Ubuntu Linux alone has released about the same number in half that time, and I can't be arsed to work out how many Red Hats etc, there have been.

    Netscape becomes Mozilla, becomes Seamonkey, par Firefox BLAH, BLAH, BLAH, BLAHHHHHH !

    Do any of them work in all situations ?

    The honest answer for all you Linuxtards is NO they don't !

    So if you want to get any work done, or design apps for the majority of web surfers, that's why I still need a version of IE 6. As with the UK's nuclear capability, which I believe is still running on Windows 2000, in some parts of the net, it is all that works, while the likes of Firefox and SeaMonkey on Ubuntu 9.04 - just don't work where you expect they should. I am talking MySpace you penguin heads. Every Flash advert I block still runs merrily along while the control panel required to play the tracks is in-bloody-visible, except in Opera on Ubuntu and IE6 on Windose 2000.

    SHOCK HORROR beware of the blind sick penguins.

    ALF

  34. N2

    @Oh crap

    Please tell me this is a joke?

    IE 6.0 may be folly but domain admin rights as well is really asking for it.

  35. Anonymous Coward
    Linux

    @ Al fazed

    "Firefox and SeaMonkey on Ubuntu 9.04 - just don't work where you expect they should. I am talking MySpace you penguin heads"

    World's most poorly designed website has issues running in certain browsers? Well blow me down.

    Mozilla could hard code MySpace into Firefox's blacklist and you wouldn't hear any complaints from me.

    Oh yeah I forgot, MySpace isn't a toy anymore, it's an important business opportunity - says the guys in the marketing department who spend all their time on MySpace regardless, go figure.

  36. Nathan Williams
    Pint

    @Al fazed

    I'm not trying to advocate _constantly_ upgrading. I am trying to point out that there have been significant improvements in hardware and software in the past decade--both in areas of performance and security--which the user I was responding to would likely find to his advantage.

    While I agree that attempting to stay on the bleeding edge of technology is a frustrating and ultimately fruitless exercise, it is my humble opinion that the benefits of updating outweigh the disadvantages for the person in question at this time, and that there are several negative aspects with such an outdated configuration that even further argue for an upgrade. Perhaps my original tone was off-putting, for which I apologize -- I was reacting to the IE5.5 subject line, which is one of the banes of my existence and some of that came through in my post.

This topic is closed for new posts.

Other stories you might like