back to article MS spins IE security disaster into Windows 7 upgrade opportunity

Microsoft is doing its best to deflect from the software vendor’s ugly, fat security hole in Internet Explorer 6, by telling customers to not only upgrade their browser for the latest version of IE, but also to ditch Windows XP while they’re at it. The much-loved operating system that refuses to die is vulnerable to attack, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    @Which is a bit like saying "foot, meet gun."

    Well it's better than "heart, meet gun".

    1. Fatman
      Grenade

      @Which is a bit like.....

      Actually, I think it is more like, "nuts, meet gun"!!

  2. lukewarmdog
    Badgers

    Damage Limitation

    "there are a number of ways to limit the attack to an IE crash"

    Chrome, Firefox, Opera..

    1. David 138
      FAIL

      Damage Delay!!!

      If you move to Crome, Firefox or Opera what do you do when they get their next exploit?? FF will take a good year to fix it, and you cant centrally patch it.

      Ultimatly you will end up with two security holes not just one, and have to manually fix one of them. Bugger that.

      1. Anonymous Coward
        Anonymous Coward

        Central Patching??

        My OS and all my applications including the browser are already centrally patched

        Linux, welcoming you to the easy way of updating your PC

    2. Ian McNee
      Linux

      And...

      ...Ubuntu, Fedora, Mandriva, Knoppix...

    3. Iggle Piggle

      I feel a little sorry for MS

      (but only a very little bit)

      Every company I've ever worked for (and there have been many) always says the same thing when a client phones with a problem. "What version are you using?" usually if the answer is not the latest then the answer will be "Well upgrade to the latest version and call back if you have the same problem still.".

      Microsoft are getting complaints about a version of software that is two behind the latest running on a version of their OS that is also two behind the latest but nobody is cutting them any slack. Now if I claimed I had problems with an ancient version of Firefox running on Fedora would you tell me to upgrade or advise me to move to another browser and another OS?

      That said, Microsoft, if you have ambitions of maintaining your market lead in the browser field then for heavens sake start fixing these bugs as quickly as you can even if that means patching ancient versions.

  3. Ocular Sinister
    WTF?

    They can enable DEP via the web browser?!

    I couldn't help noticing the article linked has a big fat 'Enable DEP' button that claims to turn DEP on, via the web browser. Surely, its only a matter of time before some miscreant works out a way to *disable* it via the web browser...

    1. gollux
      Badgers

      And given...

      the underlying computer architecture, sometimes I wonder if it isn't just a big "Do Nothing" button, a kind of digital placebo so you can feel like you did something.

  4. Anonymous Coward
    WTF?

    I'm no fanboi, but...

    I really don't think that's quite what that diagram's saying. Certainly not to me. It seems to be a straightforward browser-on-os chart, and is quite correct in saying that IE6 on XP is vulnerable whilst IE8 on XP isn't. If you really, really, really must stick with IE7, then it's potentially duff on XP but OK on Fista.

    Umm, how would you have preferred to see 'em lay that out?

  5. Anonymous Coward
    Anonymous Coward

    Not the same drivel again

    Microsoft urges user to upgrade to more secure OS (not!)

    Windows 95 ...... Windows 98 SE

    Windows 98 SE ......Windows NT

    Windows NT ...... Windows 2000

    Windows 2000 ...... Windows XP

    Windows XP ...... Windows Vista (rejected)

    Windows XP ....... Windows 7 (Vista Service Pack 2)

    (incomplete list)

    After over 25 years of virus ridden, bloated, and buggy software you would think people would learn not use it. The only safe computer running Microsoft software is one that is never switched on!

    1. Anonymous Coward
      Flame

      Hate to be a peddant...

      ..., well, I don't *really*. M$ never advised 98SE to NT - at that time, NT was for business users, 9x was home users. It should be 98SE to ME (yuk!) to XP for home users and NT>2000>XP/2003.

      And I should say I've although Linux can be more stable (with some noteable exceptions), when they go wrong (and contrary to the fanboyz, they DO), Windows is easier to fix.

      But, I won't argue with someone who is obviously somewhat blinkered into a Tux-lovin' frenzy of M$ bashing - it's far more interesting to watch paint dry, or watch repeats of Dad's Army...

  6. mrlumpy
    Flame

    FFS!

    "Worse still, it’s doing this even though the firm cannot offer a watertight guarantee that those later editions of Internet Explorer won’t also be exposed to the same security flaw. In fact, they are at risk from the same attack."

    So potentially the last 3 desktop OSes by Microsoft are borked? They released XP with this vulnerability, then Vista with the same hole and finally Windows7.

    I use linux, solaris, windows and OSX and I am mightily peed off that all OS and software vendors keep jamming in functions and add-ons and upgrades yet can not create stable, secure and reliable products.

    If car manufacturers did this there would be an uproar, imagine parking your car in a car park only to return later and find that your stereo was missing due to a design fault that meant a thief could gain entry easily with minimal effort (and I'm not talking about windows). Or your front door could be opened by a burglar wriggling the handle a funny way?

    But software vendors get away with it and we let them time after time after time.

    I for one am sick of it.

    1. gizmo23

      Re: FFS!

      "I use linux, solaris, windows and OSX"

      Have you tried Solaris with the trusted extensions? Certain govt. depts. use/mandate it. Not that that's a recommendation, mind you, they can lose data faster than you can say "Don't plug that USB stick in". At least Sun have tried to make a more secure version of their OS.

    2. Anonymous Coward
      Anonymous Coward

      re: mrlumpy

      "Or your front door could be opened by a burglar wriggling the handle a funny way?"

      Your front door CAN be opened by a burglar wriggling the handle a funny way.

      Ever heard of a bump key?

      You can buy them or make them yourself, then gain access to someone's home in seconds.

      The average front door really isn't that secure.

  7. Rob Haswell
    Thumb Up

    I don't mind

    Any dirty tricks Microsoft wants to get more installations of IE6 off the streets are fine by me. As a web developer, I don't care if they want to blow up a busload of kittens as long as they convince people and companies to just get rid of it.

    1. Hedley Phillips

      Would somebody please think of the kittens

      While I share your same enthusiasm in seeing the back of IE 6, I can not and will not condone the killing of kittens ok?

      1. Anonymous Coward
        Boffin

        Not even if...

        the kittens wrote IE6 in the first place?

        You have to admit, it'd explain a lot of things...

    2. Annihilator
      Coffee/keyboard

      Blow up a busload of kittens

      You sir, have cheered me up at the end of a crap day. Mainly because I got an image of Keanu Reeves saying "whoa" a lot in a dead-pan voice while trying to stop said bus from dropping below 50.

      Complete with Antonio Banderas/Puss In Boots on board.

  8. Piro Silver badge
    FAIL

    DEP

    Isn't this all because DEP is opt-in by default?

    Ugh. The only difference between 6 and 7/8 is that 6 doesn't opt-in to DEP without you changing that

  9. Anonymous Coward
    Pirate

    Grrrrrr

    Just reminds me why I hate PR drones.

    Pirates because they at least have a higher code of ethics.

  10. Robert E A Harvey
    Gates Horns

    Trust us, we know what we did wrong last time

    OK, the last 13 things we sold you were crap. All your problems will be solved by giving us some more money.

    1. Anonymous Coward
      Anonymous Coward

      Standard business practice

      Think new improved washing powders. The advertising has told us for the last fifty odd years that the old version of the powder only got your whites white, but the new version gets them whiter than white. And they managed to show this even on old B&W TVs. Of course the sensible response to those adverts is to say "if this is true than you lied to us last time" but nobody ever does.

      It doesn't matter if it's computer software, a TV, a car or any other consumer product this has always been the way. Car companies will happilly tell you that the latest model is more reliable, faster, more economical, better handling and cheaper to run than the old model. But they told us that the old model was 100% reliable and, well you get the picture.

      1. Robert E A Harvey
        FAIL

        Mayb so

        But that doesn't mean I'm likely to buy the new washing powder or the new car or the new version of windows.

  11. Mark Broadhurst
    Stop

    In other news

    Anti-MS brigade gets usual FUD article published on El reg.

    IE6 on XP is vunerable, MS have been trying to get people to upgrade for years now.

    The exploit "could" be updated to work on IE7 and IE8 but there is no evidence that it has.

    Can you really blame them for trying to get people to upgrade ?

  12. Jeremy Chappell
    Flame

    Windows 7

    Isn't Windows 7 less secure (with default settings) than Windows Vista SP2? What is the most secure version of Windows(with default settings)?

    I know Microsoft keep talking up Windows 7, but I thought UAC was less secure...

    1. Indian-Art
      Alien

      Will have to upgrade to Windows 8 when the next attack occurs

      I feel they will ask us to upgrade to Windows 8 when the next attack occurs.

      Lets avoid this by using the safe and secure UBUNTU!

  13. GaileF0rce

    Force users to upgrade

    The pros/cons of IE alternatives aside, am I the only one who thinks Microsoft should be doing more to force people to upgrade. Maybe “Force” is a bit strong, but at least encourage or reduce support. I appreciate the "If it's not broke, don't fix it" mantra but you can hardly call the current patching circus as not being broke. Using this as an example, the fact that there is a large number of corporate’s still using IE6 (The numbers larger than you might think), says more about lazy IT departments, developers and the organisations still using this stuff than Microsoft.

    I appreciate that Microsoft feel obligated to keep old software going as they're scared stiff if losing customers, but they're as likely to lose customers anyway with this type of thing. Don’t recommend an upgrade - make it a requirement. And there’s something inside me that believes if Microsoft wasn’t forced to make everything they do so backwards compatible - having to include old code in new software, there wouldn’t be as many of these issues turning up.

    1. Anonymous Coward
      FAIL

      legacy

      "[..] (MS) to force people to upgrade"

      MS would love to that! But that's not the problem why people use IE6. It's legacy applications, built on top of IE6 by other companies. Those applications were expensive! And rewriting them, so they will use normal open standards, is more expensive than loosing all their company data (IP and all) to crackers. That's why companies don't switch to IE6.

      Of course the irony is that the tactic of IE6 was exactly this. A vendor lock-in. To make sure people would always use IE. Boy did that back fire into a PR nightmare now.

      From this day on, everybody knows the risks of not using open standards and have a vendor lockin on your most valuable part of your business. MS will never be able to sell this again. I mean we now have .NET and Share point.... oh oops!

      1. herry
        FAIL

        Vendor lock in?

        I don't believe any web applications are too big/complicated to rewrite.

        These are large corporations who have all the money and resources in the world.

        It's the people working there who can't be bothered to rewrite it since it's not broken.

        Hence the term vendor lock in.

        If these companies are willing to risk losing all data by sticking with ancient software then maybe they deserve it.

        Losing data means no work right so it must be good for everyone.

  14. Anonymous Coward
    Thumb Down

    Don't see what the fuss is about

    Why are people still running IE6 anyway?

    I can't see what the problem is with MS telling users to update to the latest version of IE. IE6 is 2 versions behind the latest major release after all.

    I think folk are giving 90% of the Internet population too much credit when they suggest switching to firefox or chrome. Most users are too daft to understand how to use the address bar to type a URL never mind comprehend another web browser.

    1. Eponymous Cowherd
      Thumb Down

      Corporates

      People are running IE6 because their bosses make them use it. The installation of alternatives (including the MS ones, never mind FF, Chrome or Opera) are strictly verboten and non-compliance can result in being fast-tracked to the job centre.

      Stupid, I know, but when have corporate stuffed shirts ever made much sense?

    2. Anonymous Coward
      Unhappy

      So right

      Unhappily I can only concur. Most Windows computers I see at customers sites (I'm fruity) have multiple toolbars on the browsers, and if they can't find the address by typing something like it into Google, then it just don't exist as far as they are concerned.

  15. Anonymous Coward
    FAIL

    hold on ....

    ......and I quote.... "Microsoft is doing its best to deflect from the software vendor’s ugly, fat security hole in Internet Explorer 6, by telling customers to not only upgrade their browser for the latest version of IE, but also to ditch Windows XP while they’re at it."

    Am I reading this correctly ? They're saying upgrade to Win 7, which was named as also subject to the same problem by the German security researchers that uncovered this little nest of vipers in the story run last week. Anyone care to guesstimate how much that would cost those users so affected ? Be honest and include the hardware costs in your working folks, because the chances of getting W7 up and running on anything that shipped with IE6 in the preinstall are slim. Opportunistic disingenous garbage attempting to misdirect attention from the same MS marketing dweebs who stated cheerfully that Vista was "best ever", and who have known about the potential for an exploit with this vuln for quite some time. The researchers only went public with proof of concept code last week.

    Further, the unusual hacks of gmail accounts belonging to potential dissidents last were run using this same vulnerability ???? Oh marvellous. Bearing in mind the nature of the activity I think it's fair to say that this means those that get "owned" are getting owned by the Chinese security services or contractors for them at the very least.

    Google possibly running this admittedly outdated browser purely in order to give on the cheap, legally mandated wiretap functionality in order to guarantee our security, leading to substantive failures in security for folks not involved in being dissident or crims ? Fscking ironic or what ?

    Amazing..... I couldn't decide between WTF or FAIL icons, but on the basis of the amount of fail this news contains, there really could be only one.

  16. Roger Greenwood
    Linux

    That graph . .

    . . just shows that the bad guys lag a bit behind in finding the cracks.

    http://blogs.technet.com/srd/archive/2010/01/15/assessing-risk-of-ie-0day-vulnerability.aspx

  17. Steve Evans
    Gates Horns

    If XP + IE6 is so bad...

    Odd they didn't mention you can just go download IE8 for free and stick it on your XP machine.

    1. Anonymous Coward
      FAIL

      Umm...

      They did.

      A sentence or two later, they "also" recommended the OS be upgraded.

    2. Anonymous Coward
      Stop

      Reading... we've heard of it

      “We recommend users of IE 6 on Windows XP upgrade to a new version of Internet Explorer and/or enable DEP. Users of other platforms are at reduced risk. We also recommend users of Windows XP upgrade to newer versions of Windows.”

      Come on now, you can do it. Sound the words out. Just the first sentence is fine.

      A windows upgade is the secondary advice.

  18. SilverWave
    Linux

    Move over to Firefox/windows(short term) then Firefox/Linux(long term).

    It's the only way to be sure...

    Oh and thanks to Microsoft for this classic security FAIL.

    1. Jamie Jones Silver badge

      Then Firefox/BSD longer term!

      Firefox/FreeBSD, or openBSD if you're paranoid.

  19. The Vociferous Time Waster

    Freetard flamers

    Srsly.

    Get over it.

    Nobody actually cares what browser or OS they use as long as it does what they want it to do, this is normally Facebook, email and the odd typed and spellchecked letter to the agony column of the Sun. If you produce a device which does that then the only other factor that people will care about is price.

    Now I'm sorry, Mactards, your kit is too expensive. It's the BMW of computers. Although it may be very lovely, most people buy it because it's more expensive than a Ford and they want to show off. Everyone else knows that a Ford does the same thing for a lot less.

    Linux users, you're the Daewoo drivers. Yes it's a BMW for less than the price of a Ford but it's a bugger to get it serviced so unless you are capable of doing it yourself or have a spotty teenage son/grandson who hasn't discovered girls to do it for you, you're not going to bother.

    In a company environment they're going to buy Fords because they're cheaper than BMWs (they'll keep the BMWs for the people who don't do much mileage) and easier to maintain than a Daewoo. You also know the resale value because Fords are predicatable whereas who knows where Daewoo will be this time next year.

    1. Eponymous Cowherd
      FAIL

      Analogy Failed!

      Daewoo are now badged as Chevrolet and are sold and serviced by GM (i.e. Vauxhall) dealers in the UK.

    2. JEDIDIAH
      Linux

      Unix is infact for lazy people

      ANY OS requires the user to maintain it.

      The key is to build a system that seeks to subject the user to as little "maintenance" as possible rather than depending on the more common idea of "just shove it out as quick as you can and patch it later". A novice consumer will be no more able to deal with Windows than any other system. This is just a widely perpetuated myth.

      However, Windows and it's vendor applications are much more insecure by design.

      Ditch IE entirely if you can. Ditch any MS apps that you can.

    3. Anonymous Coward
      Anonymous Coward

      Snigger....

      Microsoft users are Trabant drivers, it's a product of a Monopoly, poorly made and restarts after you hit with a hammer (aka a Ctl-Alt-Del, reboot). The poor owners had to third parties to keep it working. Unfortunately, unlike the fall of the Berlin Wall, Microsoft is taking longer to collapse!

    4. Dazed and Confused

      Re: The Vociferous Time Waster - Daewoo

      Sorry I can't see the analogy between Linux and a Daewoo. Daewoos are cheap cars for people who just want to get from A to B and don't give a sh1t about cars. That is not the sort of person who tends to use Linux. Linux is used predominantly by people who care passionately about computers and would actually like them to work. They are also generally people who tend to tinker, but I doubt that the self maintainers are a high percentage of Daewoo owners, it is actually more likely that they never even open their bonnet. Lets face it, they ain't going to be showing it off to their mates and remember they don't care about cars.

      Daewoo drivers are much more likely to be windows users, they probably don't even know there is an alternative.

    5. Lars Silver badge
      Happy

      Re: Freetard

      "Fords are predicatable whereas who knows where Daewoo will be this time next year."

      Assuming you meant to say "Ford is" and not "Fords are" else there is no sense in the sentence.

      But looking a the state of the US car industry, I still hope you are right, and perhaps Ford Europe will keep Ford alive.

    6. Anonymous Coward
      FAIL

      @The Vociferous Time Waster "A Daewoo's a BMW for the price of a Ford"

      Hmm. Never seen a Daewoo churning out 500hp while still seating 5 persons comfortably.

      Seriously: get a life.

    7. Anonymous Coward
      Flame

      Old info

      Taking your inaccurate statement "your kit is too expensive", change it to "your much more secure, virus-free kit is too expensive for me". There, fixed it for you!

      Can't afford Macintosh? You might be able to if you didn't have to buy Anti-Virus and other security software.

      Mind you, Macs are generally brought by people who don't buy the cheapest rubbish just cos it's cheap. More successful and better paid people generally, would you not agree? Good at decision making and choosing the right alternative, right? Obviously better at making decisions than you it would seem.

      That's why they brought a Mac, so they don't end up getting raped by Microsoft and/or its mistakes every couple of years.

      Are you jealous?

      The only thing good about this is that a lot more Sysadmins and Consultants will have a little more money and job security over the next few months....unless they were the short-sighted idiots who suggested going with Microsoft in the first place, that is!

  20. amanfromMars 1 Silver badge

    The Edsel Eureka Moment

    "However, there are a number of ways to limit the attack to an IE crash and prevent attacker code execution,” said Microsoft."

    Err, is that the mighty Microsoft solution to the vulnerability which allows attack code execution .... crash Internet Explorer ..... and is therefore a tacit admission that there is no found and/or sound solution and the vulnerability is a Systemic Catastrophic Flaw in the Microsoft business model and Windows Operating System?

    Head, meet howitzer?

  21. OH BLOODY HELL
    Grenade

    Surrreee...it's ALL Microsoft's fault...surrreeee....

    Google running IE6!? Wow. HAHA! They're not even using their grrigin browser??!!! There's faith & competency for you! I also read a story a while back that they had "OPEN" (unsecured) WiFi in one or more of their locations.

    This is just another case of stupid people & management, doing stupid things, with no accountability anywhere in site! The ills of the Internet, software, and info-technology as a whole...when designed, created, implemented and USED by humans (especially older or unpatched code) offers a moronic calvacade of info-tech transgressions.

    For you FF fanboys: www.dailytech.com/Security+Study+Lists+Firefox+Most+Vulnerable+Browser+IE8+Among+the+Safest/article16796.htm

    1. R 11

      Opera came 1st in Cenzic report

      Opera came tops in that 'security analysis' and even they dismissed it as tosh:

      http://my.opera.com/haavard/blog/2009/11/10/cenzic-security

      There's no published methodology. Everything points to them simply counting the number of 'vulnerabilities' that have been fixed. So Firefox, being open source and publishing everything comes out tops, while I.E. which only has to count the vulnerabilities found by others which Microsoft are then forced to (eventually) patch.

      You can assess your security risks off of that report if you wish. I'm just glad you don't work for me.

    2. Anonymous Coward
      FAIL

      Er

      How is FireFox, or any browser for that matter, vulnerable to SQL Injection? Last time I checked no web browser had a SQL engine in the back end?

      Sounds to me like a stinkin' load of something to me.

    3. Notas Badoff
      Megaphone

      ... than to speak and remove all doubt.

      "Google running IE6!? Wow. HAHA! They're not even using their grrigin browser??!!!"

      Now we know how well you read and acquaint yourself with a problem. It was not Google that was using IE6, it was users, plain ole people like yourself. Well, no, probably better readers than you, to be either hired (the poor corporate slobs), or to be concerned with their fellow human beings (the human rights people).

      Read the above quote from you. If someone else wrote that, wouldn't you be able to immediately tell they were immensely confused?

  22. adam payne
    Stop

    Sounds like an easy way to make money

    Well upgrading to Windows 7 sounds like an easy way for them to make money.

    What happens when they find a hole in Windows 7? we can't upgrade from that.

    1. herry

      Any company

      is here to make money.

      If whatever company you're working on right now is not making money then you're not gonna get paychecks.

      It's as simple as that.

  23. gollux
    Grenade

    I'm saving as hard as I can...

    for a new system that will run Windows 7, but between pay cuts, time cuts, putting food on the table, keeping Goodwill clothes on my back, the rent paid and all, it will be 2012 before I can swing it.

    The end of the world's coming then anyway, isn't it? <GRIN>

    Thank goodness the car's paid off and should limp on reasonably well for another four years.

    And my company's in the same straights, rollout will be somewhere along end of 2011 as we're mostly worried about basic survival at the moment.

  24. N2

    Sorry

    Your scaremongering dosnt work Mr Ballmer

    & Im not changing my Windows 2000 thank you

  25. gollux
    Alert

    Why they're recommending this...

    <blockquote>While Windows XP does not offer ASLR protection, DEP/NX alone does make exploitation somewhat more challenging.</blockquote>

    http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx

    So, enabling DEP for IE6 and IE7 is easy, YMMV for Windows XP.

    "Somewhat more challenging" probably means "We'll have that running in 1-2 weeks" given the track record.

  26. Pirate Dave Silver badge

    IE 6 on XP is vulnerable?

    So I guess those of us lucky enough to still be using IE 6 on Win2k are safe then...

  27. Jason Bloomberg Silver badge
    Pirate

    Cost

    If it didn't cost so much maybe more people would upgrade. As it is I suspect most people don't upgrade until they get Windows 'free' and pre-installed an a new PC. If Firefox / Chrome + XP solves the problem, that's the easy option to take. I didn't buy Vista and I'm not buying its service pack; Windows 7.

    I'm quite sure there are a number of XP bootlegs out there using dodgy license keys where people don't go near Windows Update and risk playing the WGA game, so won't be updating anything any time soon. While such people invite problems onto themselves they cause issues for everyone when they become bot-nets and so on. Microsoft cannot simply wash its hands of complicity in bringing that about.

  28. Kevin 6

    Make me glad

    Glad I use Windows 2000 with IE5 ;) (I've yet to actually launch IE so no need to upgrade)

    Most current viruses won't work on it even if you manually try to install them due to needing libraries that don't exist in 2k :D And most the old win 2k viruses won't work on the new OS's so my machines can sit pretty without much worry.

    BTW I've actually tried infecting another win 2000 comp a few times with current viruses just to get a DLL not present error ;)

  29. odiegh
    Stop

    that's why it's called an upgrade

    Companies who still use IE 6 (as mine does) are asking for their own problems! You don't use office 95 do you? Windows 95? No because newer versions are the product of all the tech support issues and those system crash auto generated message to microsoft. So being 2 versions behind you ask for an ass kicking. Then to blame MS for not updating something 2 versiosns behind a company doesn't want to update? No one says this to the mac nuts get a grip and udate like you're suppose! It's free for whatever god you pray to sakes.

    It's just like many viruses often hitting corporate users microsoft normally already has the fix available but some jerk off won't implement it or has his IT staff with so few people there is no time to test new roll outs for all the custom applications. do the updates when they say for a reason! Google getting hit for using ie 6... SIXXXX are you freaking kidding me?

    1. Robert E A Harvey
      Gates Horns

      I wouldn't mind

      >office 95

      $MEGACORP upgraded us all from Office 97 to Office2003 two years ago, and I'm still finding things that used to work and don't any more. There are no plans to upgrade further.

    2. Charlie Clark Silver badge
      Terminator

      It's a question of product liability

      All manufacturers are liable for damages sustained by customers using their products. Which is where you get recalls due to defective batteries, tyres, cables, etc. Software manufacturers have so far managed to avoid the substantial related costs by providing product updates which remove the defect.

      In the case of Microsoft this disregard for customer care has been allied with the embrace and extend strategy which wedded the browser to the OS (are you listening Google?) from Windows 2000. The prevalence of IE 6 is due in no small measure by Microsoft's refusal to release IE 7 and IE 8 for Windows 2000. As they are currently unable to say when the will be able to fix the current defect they may finally be held accountable for any damage that may result from exploits. Government agencies (and it should be noted that in Germany at least it is not the ministry but the office for security that has made the recommendation) are covering their own arses by advising citizens of the possible dangers.

      Someday Microsoft make thank the European Commission for encouraging them to split browser from the OS and, thus, preventing them from achieving their prize of a locked-in monoculture.

    3. Jason Bloomberg Silver badge
      Flame

      Re : odiegh, "that's why it's called an upgrade"

      "It's just like many viruses often hitting corporate users microsoft normally already has the fix available but some jerk off won't implement it or has his IT staff with so few people there is no time to test new roll outs for all the custom applications. do the updates when they say for a reason!"

      I think you are confusing "bug fix" and "upgrade".

      Most people will welcome bug fixes providing they don't bork something else, but an upgrade is so much more than that which people may not want and may introduce compatibility issues with other things.

      "Keep the bug" or "upgrade to something different" is often Hobson's choice. What most people want is stability, consistency and familiarity. Sure Windows 7 may fix a bug which exists in XP, IE8 fix a bug in IE6, but how much additional effort will that bring to get things working as they were before, and it may introduce bugs which weren't there before. MS implicitly admits there may be problems with an upgrade to Windows 7 or they'd have not wasted any time on XP Mode. Do most home users have the 'rescue option' of XP Mode ? No, I think not. Why does IE8 have to support IE6/IE7 compatibility modes ? Because it's not a bug-fixed IE6/IE7, it's different.

      Familiarity is why non-techies-but-can-use-a-PC people don't usually move between OS's. It's just too scary, too daunting, better the devil you know. The same drives people to keep old, bug-laden applications rather than upgrade those. Especially with the trend of dumbing down apps where an upgrade means less flexibility or loss of functionality, or a rush to add eye-candy and bloat.

      Finally, upgrade from XP to Windows 7 - Are Microsoft going to be paying for the hardware upgrades which may be required for that ? Don't make me laugh.

    4. Anonymous Coward
      FAIL

      You say still running Win 95 but.....

      Not a year ago i was temping at a company that was still using Win 98.

      Needless to say i didnt stay long.

  30. Neal 5

    @Indian-Art

    "Lets avoid this by using the safe and secure UBUNTU"

    Hmmm, somehow, as bad as Windows is, and as bad as IE is, given the list below, I might just consider switching to an unpatched XP running IE6 out of box, with no firewall and no anti-virus, it's more attractive than this.

    http://lwn.net/Alerts/Ubuntu/

    Recent Ubuntu security alerts

    (1013 alerts total)

    ID Package Date

    USN-887-1 libthai 2010-01-18

    USN-886-1 pidgin 2010-01-18

    USN-884-1 openssl 2010-01-14

    USN-885-1 transmission 2010-01-14

    USN-882-1 php5 2010-01-13

    USN-883-1 network-manager-applet 2010-01-13

    USN-881-1 krb5 2010-01-12

    USN-878-1 firefox-3.5 2010-01-08

    USN-877-1 firefox-3.0 2010-01-08

    USN-880-1 gimp 2010-01-07

    USN-879-1 krb5 2010-01-06

    USN-876-1 postgresql-8.1, postgresql-8.3, postgresql-8.4 2010-01-04

    USN-875-1 redhat-cluster, redhat-cluster-suite 2009-12-18

    USN-873-1 firefox-3.0, xulrunner-1.9 2009-12-18

    USN-874-1 firefox-3.5, xulrunner-1.9.1 2009-12-18

    USN-870-1 pygresql 2009-12-11

    USN-871-1

    it's endless.

    1. Keith Oldham
      Linux

      Re : @Indian-Art

      At least I can sleep at night knowing that my OpenSUSE systems are automatically updating the fixes to the inevitable bugs ( that ALL soft ware has ) as soon as they are available which is usually pretty quickly

    2. BenDwire Silver badge
      Flame

      @ Neal 5

      Mate, stick to Windows as you obviously don't understand computers. Keep paying your hard earned cash for the latest shiney bling and you'll be fine. Trust me. I sell just what you need.

      And freetards, don't forget to put a bid on fleabay for his old stuff - "hardly used, only one user, only selling due to an upgrade". Where would we be without the sheeple?

      1. Anonymous Coward
        Anonymous Coward

        surely

        using the term "freetard" is an insult to linux users?

        just askin.......

    3. Anonymous Coward
      Anonymous Coward

      known issues

      Yes, at 1013 alerts is does seem impressive.

      However, from your list PHP5, PostgreSQL, RedHat-cluster, Firefox applications not part of Linux but the Ubuntu distribution. It is very easy to get more up to date versions from the various project websites.

      If you produced a list of Windows desktop, server, SQL, MS Clustering, IE, Outlook, Office etc; the list would be much longer and that is just the known issues. Unlike Microsoft these will be fixed and not hang around for years.

    4. gollux
      Alert

      And simple to take care of...

      Click the icon in the bar, enter your password when prompted and only worry about reboots if there's a kernel update.

      Slightly less unobtrusive than Windows Update on the XP machines on my network, which usually require a reboot whenever I manually tell them to update, but that ceased being a problem with the newer WSUS client that now installs patches on shutdown.

      And the list you pulled up for an example? That would be like running Exchange, Windows XP, Server 2003, Vista, Office, SharePoint, MSSQL, IIS, etc with the updaters for 3rd party Adobe, Firefox, etc thrown in. If you actually compared the same spread on Microsoft systems, you come pretty close. I know, I run our company's network with Mac, Microsoft, and a couple Linux systems and have to keep up on this stuff.

      Try finding out what constitutes a Mac OS-X update listing, its probably more comparable.

      And, yes the patches for all OS's is endless, not just your example. And every time you turn around, you've got a Flash bomb or an Adobe Reader shoal just waiting to take you out.

      All you have to do to sabotage your operation is to not do your job. Amazing what a quicksand foundation we've built our modern business upon...

    5. Anonymous Coward
      Grenade

      Hard luck, fanperson

      OpenSSL != Unbuntu

      Pidgin != Ubuntu

      PHP5 != Ubuntu

      Firefox != Ubunto

      GIMP != Ubunto

      etc

      etc

      it's, as you say, endless - it's also NOT UBUNTU!

      But never mind, cut 'n' paste is the obvious limit of your intellect anyroads.

    6. John G Imrie

      it's endless

      That's because it lists bugs in *everything* in the distro.

      Try concatenating the bug lists for Windows, Office, IE, SQLserver, Outlook, Outlook Express, IIS, mIRC, ....

      Oh look it's endless.

    7. Greg J Preece

      A flaw in your logic, Neal

      I am willing to bet that all those alerts were found through peer review rather than hostile 0-day attacks, and that they were patched almost immediately. Therein lies the difference. Microsoft are constantly having their software kicked around, and when it is they are sluggish at best to fix the problems. Linux systems are patched so fast that no-one has a chance to exploit the code.

    8. Big-nosed Pengie
      FAIL

      Title

      Pig ignorance or paid FUD? You decide.

    9. heyrick Silver badge
      Stop

      @ Neal-5

      I see ("network-manager-applet" etc) that we are counting the active buglist of the entirety of Ubuntu and supplied applications, and not just a web browser.

      Wanna take a wild guess as to the current buglist of Windows and the standard usually-supplied applications?

      Allow me to quote: "First, he says that over 2,000 bugs will be fixed in the release version of Win 7 because of feedback from the over 10 million downloaders of the beta OS, which ended on February 10th. Sinofsky says that at peak times in January, Microsoft was receiving one feedback report every fifteen seconds for a week straight, and has, to date, gotten over 500,000 of them."

      [source http://www.engadget.com/2009/02/26/windows-7-to-get-2-000-bug-fixes-pointed-out-by-testers/]

      So... 10 MILLION beta downloads, HALF A MILLION reported bugs. "Over two thousand" fixed.

      If we say every other report is a dupe of the one before, that gives us 250,000 bugs. Divide by 2 again just to be really charitable. 125,000 bugs.

      And +/- 2000 fixed.

      Suddenly Ubuntu seems like a better proposition, no?

      And with its active buglist in the open, we're all at least know the state of play. Maybe, now, Microsoft is regression testing Win7SP1 and after deployment there will only be 42 unfixed bugs. Or maybe the list now stands at over a million. Who can say?

    10. Anonymous Coward
      FAIL

      Server and Client and third party apps.

      Come on - that is a list of bugs across the whole Ubuntu repository. It includes client components (firefox,pidgin) and server components ( PHP, postgresql, redhat-cluster). Many of these are not even core operating system components but third party applications.

      Can I suggest you do the same for windows ? Take the client side and the server side and then go and add in a lot of additional software provided by third parties.

  31. DEAD4EVER
    Unhappy

    windows7 from xp

    microsoft yet again shows it cant get nothing right constant bugs and flaws all over either in the operating system or browser jeese how am i supposed to upgrade my mothers laptop thats so old about 4 to 6 years old its a old toshiba m40x it had 512mb ram i think i upgraded it to 1.5gb so half a gig in. i even tried to upgrade it to windows 7 i had a windows 7 cd and before i knew it all of windows 7 features were disabled all the eye candy and stuff and it wasnt running well at all so this clearly shows that 7 isnt for all laptops even really old ones that were only ment for xp only. so tell me microsoft what do i do about this laptop

  32. Matthew Anderson
    FAIL

    sigh

    Sounds like good enough advice to me. What do you want them to say? "Don't bother upgrading to a more secure model, life sucks and we gave up caring a long time ago wtf you do"

    Another non-article from ell reg *cheer*

  33. Anonymous Coward
    WTF?

    Old version not as good

    Shocker. I assume in the Linux world (that so many angry angry people are shouting from the rooftops about) that perfection was achieved in the first version?

    What's that you say? Ubuntu's up to 9.10? But shurely shome mishtake?

    Please everyone just bear in mind that with ANY Operating System design you're balancing security against usability. It's a very long scale. It's why you won't find solitaire on a system looking after the control rods at Torness.

    Where's the STFU icon? Oh well, close enough

    1. Anonymous Coward
      FAIL

      Blithering idiot...

      The numbers indicate the year and month that the particular version was released in. For example 9.10 was released in October (10) 2009 (9!). The next release will be 10.04; April (04) 2010 (10!). If you look at the release schedule, you'll notice it's done every 6 months and 10.04 will be a LTS or Long Term Support version. Do try and think out side of your Microsoft comfort zone. You should've Bing'd Ubuntu versioning before telling other to STFU. What's that famous quote about looking like a fool? Ah yes; “Better to keep your mouth closed and be thought a fool than to open it and remove all doubt...”

    2. Anonymous Coward
      Stop

      Wrong

      Security and usability aren't opposite ends of a sliding scale. Sure, there are security measures that inhibit users, but it's wrong to believe it to be true in general.

  34. Lewis Mettler 1
    Stop

    should have saved that $35 and not bought IE

    Should have saved that $35 and not bought IE at all.

    Oh, you were denied that option. Never mind.

    And your opinion no longer counts either. Not to Microsoft. That is for sure.

  35. mark l 2 Silver badge
    Gates Horns

    stuck with IE6

    As others have previously mentioned some large companies are stuck with running IE6 as they have expensive software that ONLY runs on IE6. The local gov dept where i used to work spent £140K about 4 years ago on a custom written helpdesk software app that requires IE6 and doesn't work correctly in later versions of IE or alternative browsers and with all the cut backs now on spending they cannot afford to have the software re-written.

    As for MS suggestion to upgrade to Windows 7 the solution is for MS to fix their peice of sh!t software not tell people that they have to spend money conveniently with MS to fix a problem with a MS product.

  36. David Harrington 1
    FAIL

    Must be a slow news day

    What exactly is this article telling us that we don't already know? IE6 is full of holes - well I never knew that...

    El Reg seems to be spinning it, not MS - XP users can also upgrade their browser, so how are they spinning it as a Win7 upgrade opportunity?

  37. LawLessLessLaw
    Boffin

    I'm a Plan9 user

    It's like driving an Ariel Atom or Catherham.

  38. Anonymous Coward
    Anonymous Coward

    How many councils can't afford to REPLACE W2k machines!

    Having just visited another council customer this morning who STILL has a vast base of W2k powered machines because they can't afford to replace them with something that would RUN XP! I think it is about time Microsoft was FORCED to fix IE6 or better still just provide a version of IE8 that will install on them.

    The alternative that we are strongly supporting is to simply disable IE6 and switch these sites to Firefox!

  39. Anonymous Coward
    FAIL

    intranets / extranets / cost of upgrade = ie6 persistance

    probably been mentioned in the inevitable slew of posts...

    The biggest issue here is a hole microsoft dug corporates into a decade ago.

    Non-standards compliant browser, using propriety scripting, adopted by millions of microsoft sysadmins "because it's easy", installed on millions of company desktops "because it's a standard", embedded deeply into the OS "because we want to win the browser war"

    The cost of this is going to be felt by businesses, governments and institutions, as they struggle to upgrade vast networks of ie6 based code and ie6 based desktops.

    The horrible thing is, you could see it all starting 10 years back and you just knew then it was wrong and would come back to bite.

    My only hope is that this deals another blow to Balmer and Co. (Hateful 800lb gorilla that he is) and that someone at m$ finally wakes up and smells the coffee - your days are numbered unless you start following standards.

  40. Anonymous Coward
    FAIL

    @Neal 5 - erm, made yourself look a tad bit silly there mate...

    @Neal 5 - do your research before knee-jerking matey...

    Try actually FOLLOWING those security alert links, only to find that EVERY one of them already has an upgrade available.

    How silly of you ;)

  41. Big-nosed Pengie
    Linux

    "Much loved"?

    I call bullshit. It's not "much loved" - it's two things: idiot corporates who've drunk the M$ Kool Aid and designed their apps to run exclusively on Ayeeee 6 and now can't afford to redesign them properly, and consumers who fell for the "a computer is like a fridge - you turn it on and it goes" bullshit, who wouldn't know what Windows was and whose computers are prime botnet nodes.

  42. Neal 5

    @BenDwire

    LOL. least you're sense of humour is shining through, still the small thing in life, eh.

    I shall stick to Windows mate, there's a good living to be made from cleaning them.

    "Bling" ?. Sorry wrong ethnicity.

    Trust, you sell just what I need, good, that's if you haven't used all your product first , in a hedonistic orgy of self fisting.

    "fleabay", hmmmmm, would explain where your knowledge of computers comes from, fleabay is an upgrade for you, both in quality and style.

    Where would we be without sheeple?, A very good question, one I doubt that you'd lose much sleep over though, it might involve some neural activity.

  43. Ammaross Danan
    FAIL

    @ Neal 5

    About the following (at the very least):

    USN-887-1 libthai 2010-01-18

    USN-878-1 firefox-3.5 2010-01-08

    USN-877-1 firefox-3.0 2010-01-08

    USN-875-1 redhat-cluster, redhat-cluster-suite 2009-12-18

    USN-886-1 pidgin 2010-01-18

    USN-870-1 pygresql 2009-12-11

    I don't know about you, but I don't have a Linux box set up in a redhat-cluster environment, nor use pidgin as an email client, nor have python PostgreSQL extensions (nor PostgreSQL for that matter) installed. I don't speak Thai, so libthai is out (since I don't install language extensions either). You can chuck Firefox 3.0/3.5 out the window since that is platform independant anyway (and who doesn't run the most bleeding edge ALPHA version anyway? [sic to Win7Beta-still! runners])

    Your 1000-long list of alerts is for any and ALL packages (and versions of such) that Ubuntu "supports" in their distro.

    "I might just consider switching to an unpatched XP running IE6 out of box, with no firewall and no anti-virus"

    And last I checked, this setup is infected in less than 6 seconds last I checked...PASSIVELY (as long as you're not behind a router, which apparently isn't even safe anymore either)

  44. Chris iverson
    WTF?

    NEWSFLASH!!!

    Experts and lay people alike discover that software needs updates. Hell I took my car in to the shop and it needed a software update.

    In other news:

    Water is wet

    Birds can fly

    Pigs smell like sh*t

  45. Anonymous Coward
    FAIL

    Other vendors...

    It doesn't help that other vendors are releasing badly coded products that depends on IE6 to work correctly. For example, one company I worked with requires users to stick to IE6 because some of their webapps glitches up badly with IE7 or newer. When the main IT guys contacted the vendor of the webapp, they were told that the vendor has no plans to support IE7 or newer.

    Fail. Any company who requires that their system work on an archaic version of IE are these.

  46. Sugarmice on a skateboard
    Stop

    Number of security patches is not a good measure

    To all of you who keep claiming that the number of published security vulnerabilities for Linux shows that it's less secure than Windows: STOP! That argument is futile and severely flawed, for a number of reasons:

    1) The Ubuntu patch list covers both the core OS and all of its packaged applications. The equivalent of Windows plus every third party application that happens to have an MSI installer, whether written by Microsoft or not. The same's true for the other Linux distributions. That will make the Linux count higher - it's a larger body of software.

    2) The Linux patches tend to be for individual components, each of which fixes a single vulnerability, whereas Microsoft (and Apple) patches tend to be less frequent and fix multiple things in a single patch. So, number of patches != number of vulnerabilities. This is quite sensible from MS and Apple's points of view because it makes their support matrix simpler.

    3) All of those Linux applications (and quite a lot of Apple's stuff, at least the Darwin side) are open source. This means that there are a larger body of people scrutinising their code than Microsoft's. This is bound to result in people discovering what vulnerabilities there are more quickly and in a steadier stream in the open source software, again leading to a larger number of less serious security alerts. This is actually a *good* thing; it means the undiscovered bugs get discovered sooner.

    There's only one way any of us could meaningfully say whether IE/Windows or Firefox/Linux (let's stick to equivalents here) is more or less secure than the other, and that's by being able to inspect the complete source code for each. Since MS are never going to allow that, no-one who doesn't work for MS and have the code access can *ever* categorically state that IE is more secure, because they have no sensible way to measure it. So don't try.

    Oh, and for everyone who seems to think we can all upgrade from IE6 at the drop of a hat, yes, as individuals maybe. But corporates? No chance. My employer creates web resources that are used by the NHS. The NHS still use IE6, and plan to for at least a year. Presumably this is because of the huge amount of testing they need to do to make sure that patients are not affected by *any* change. Even then, they're only going to IE7, not IE8. As a result, we need to support IE6 as a browser for our web developers to test with for at least a year ourselves. It's a nightmare, but we have to do it (for our own purposes we stay reasonably current).

    And lastly - the argument that we need to upgrade our Windows version in order to make IE secure - isn't this sort of tight integration of the browser with the OS precisely what got MS into so much trouble with the DoJ and the EU? Sounds like they haven't changed anything.

  47. Anonymous Coward
    WTF?

    Banksters

    Who else thinks that this could end up costing more than the last Bank Heist?

    We'll all pay, as large corporations put up prices to cover it, people get put on the dole as companies struggle to afford it or go to the wall, and taxes will go up to cover the NHS and the rest of the Civil Service sorting it out!

    Meanwhile, the top Civil Servants who agreed to be locked in by MicroShaft and encouraged such stupidity are looking forward to their gold-plated and index-linked pensions and a seat on a board or two.

  48. Tom 7

    Oh Dear - Upgrade path blocked

    It now seems that upgrading to 7 or 8 wont stop this 'bug' so no point in complaining about people not upgrading anymore!!

This topic is closed for new posts.

Other stories you might like