back to article Exploit code for potent IE zero-day bug goes wild

Exploit code targeting the Internet Explorer vulnerability used against Google and other companies has gone public, increasing the chances that broader attacks will soon follow. Both the open-source Metasploit framework and the commercial Immunity Canvas software for penetration testers have working exploits that fully …


This topic is closed for new posts.
  1. gollux


    What's the problem?

  2. Paul Crawford Silver badge

    IE, again

    This just reminds me why I took the trouble to move friends & family off Windows/IE to avoid yet another infestation. Regularly.

    Tux - not perfect, but a whole lot better.

  3. Anonymous Coward


    because of wide availability and M$ rushing to fix it as it's now public, there's a higher chance that they'll fix it incompletely or introduce some other bugs.

  4. JaitcH

    Internet Explorer?

    Do people actually use this piece of junk software?

    1. Anonymous Coward
      Anonymous Coward

      Apparently, yes

      Lots of people who have no idea what they're doing to the point of not noticing when firefox gets swapped out for internet exploder by some installer or nagware, and I'm told large corporate environments with internet exploder-only intranets. Neither of whom will be exhorted by pieces like this to finally update; the former won't update because they haven't a clue and may not even be able to thanks to "windows genuine advantage", and the latter because that's a policy decision, and the pointy hairs that must approve it (can't really say "are responsible", can I?) only see a cost centre there and they were told to save on costs by on high.

    2. Ross Nixon

      Do people still use Internet Exploder?

      Not if they are tech savvy. Firefox or Opera are better and safer browsers.

      1. Anthony Shortland

        oh really...

        Firefox safer huh? more geeky maybe, but safer no.

    3. Anonymous Coward

      IE8 is not junk

      and has some nice features such as inprivate. Moreover it is far quicker than FF3.0 or 3.5 in my experience.

      I mainly use FF3.0 principally because it behaves well on my system compared to 3.5 plus there are several critical add-ons that I can manage without. I also use Opera 10 for some online banking sites that play well with it.

      Chrome i will not touch. Well, I did actually try it one and it was slooow. But basically i do not trust Google at all. Probably a NSA/CIA job more so than M$.

      Then from time to time I boot up Ubuntu and occasionally play with other flavours of linux, using browsers like Konqueror and of course FF, but the font rendering does my eyes in on linux, just nowhere as smooth as Windows.

      As for IE8, I use that for intranets, work related sites that I trust, but also, surprisingly, for the banking sites that do not work with preference to using Firefox because I ultimately do not trust add-ons enough to let loose on my financials. IE8 with a sandbox (sandboxie or the new one within Kasperky 2010) is definitley quicker, smoother and no less secure than the others. Junk definitly not.

      1. Anonymous Coward
        Anonymous Coward

        Firefox add-ons

        "As for IE8, I use that for intranets, work related sites that I trust, but also, surprisingly, for the banking sites that do not work with preference to using Firefox because I ultimately do not trust add-ons enough to let loose on my financials."

        You could define another profile in Firefox, with extensions disabled, if you like.

        Just a thought.

      2. N2

        IE 8 not junk

        Correct, junk is far too polite a term, IE is utter garbage,

        Why should you have to prop up a web browser thats so terminally in secure with products like Sandboxie? which is to be honest one of the few ways I would trust using IE & go to sites that I was sure were safe

        But to be fair, most web browsers need a re-think / re-write in the way they work to prevent exploits, its just that IE is the one thats by far the biggest security risk.

    4. Sadie

      I do

      I use IE6 on Win2K at work, but not through choice, I don't think our office PCs can run anything better (2001 Dells with 128mb of RAM) they struggle enough with simple tasks such as loading a new window (which the system spawns on a regular basis)

      1. Roby

        same here

        My place of work also makes us use IE6 and doesn't allow us to install any software. I forget the reasoning, but there is a specific complaint about IE7 and 8 that means they refuse to upgrade the systems to it (since even 7 or 8 would be better than 6).

        Thankfully I can use Firefox Portable, but unfortunately since the company officially uses IE6, any web development I do has to be compatible with it - that increases development time exponentially.

        It was the same at my previous place of work too. Most slightly tech-savvy people I know use Firefox. I've even got my mum using it. I do occasionally see friends using IE because they don't know there are alternatives, but the real reason why IE6 remains such a lingering curse is the corporate usage.

    5. Anonymous Coward

      Yes, yes they do....

      Think corporate.

      You can't install anything on your own. Every bit of software has to be green-lit by empty suits in IT management. Too many internal sites built too long ago for IE 6, and companies aren't willing to update for fear it might cost money.

      Beer, because I need one.

      1. N2

        Think corporate?

        Think the 'empty suits' in IT are long past their sell by date

        1. Anthony Shortland

          think why?

          IE is has less bugs whether you like to admit it or not. Why would corporates waste money rolling out a different browser when it gives no corporate benefit at all?

          1. Anonymous Coward
            Anonymous Coward

            Not as black and white as that.

            "IE is has less bugs whether you like to admit it or not." - I can't recall anyone suggesting otherwise. This hasn't got anything to do with the amount bugs at all. It is a pointless and meaningless metric. The problems with IE are many though. The bugs that it does contain have the potential to cause lots of damage to it's host OS, and as (unfortunately) the majority still use a variation of it, malicious individuals will target its weaknesses and shortcomings. Like it or not, Microsoft have a duty of care to make sure that their products, paid for or free, should be as secure as possible. This isn't a slight on Microsoft as Mozilla, Google, Apple and all the rest have the same burden of responsibility, with the latter often being *as* bad.

            "Why would corporates waste money rolling out a different browser..." They wouldn't necessarily. This is an overused and ill conceived argument. The cost of redesigning and redeploying an intranet could be high and that'll teach the companies affected the cost of using non-standard proprietary solutions. The cost savings made by opting for a more secure browser could be huge! Don't forget either that enterprise is only half of Microsoft's market. Any kind of shift in the consumer market has the potential to do more damage, and is far more likely. The German government for instance is suggesting that it's better to use an alternative to IE for security reasons. The damage to the Internet Explore brand, like the Windows Mobile one, could be huge.

    6. Anonymous Coward

      Not at home, but my...

      employer still uses IE6 as its default web browser.

      Frightening, isn't it?

      1. Big-nosed Pengie

        Mine too


    7. Old Marcus

      Re: IE?

      Unfortunately, yes... and it can't be ignored, much to my dismay.

    8. Anonymous Coward
      Anonymous Coward


      Certainly more than use Firefox.

    9. Dale Richards


      When Firefox, Opera et al can be installed, configured and locked down via Group Policy, they may have half a chance at reducing Internet Explorer's dominance in corporate networks.

      Until then, most companies will take their chances with IE, ours included. Say what you will about alternatives being safer, faster or more user friendly; sysadmins working on a Windows domain would have to be crazy to use anything other than IE.

  5. Tom 7

    It was once a stimulating,respectable job

    doing MS computer support. Now it feel like clearing up after and incontinent elephant but nothing, absolutely nothing grows in the mess.

  6. Thought About IT


    @JaitcH: "Do people actually use this piece of junk software?"

    Of course, Mozilla never need to issue security patches for Firefox.

    1. Anonymous Coward
      Anonymous Coward

      Not really

      Like the Germans said, the setting that makes IE 'sort of' secure also makes it all but unusable. FF meanwhile is at least 'sort of' secure while remaining eminently usable. In a less-than-perfect world, this seems a reasonable comparison between a 'junk' product and a quality one, all else being equal (which, of course, it is not).

  7. SuperTim


    Do google not run chrome then?

    1. Old Marcus

      Re: Chrome?

      I believe the accounts of human rights activists were hacked, and no human rights activist is tech savvy.

  8. Anonymous Coward
    Anonymous Coward


    Just had a bogus emergency plea for cash from a family member via their Gmail account. Apparently everyone in their address book got one, including the plumber. Just a coincidence that Gmail has been widely hacked in China (possibly by this exploit)?

    1. Big-nosed Pengie


      What do they expect?

  9. Neal 5

    makes me think

    that these leading tech firms aren't too savvy when it comes to their own security, as if we didn't already know.

    Glad to see the solutions are already mentioned, surprised (or maybe not) that these leading tech firms weren't already in possession of that knowledge, it's not as id DEP hasn't been mentioned before in previous attacks of different kinds. Or is it IT policy, that once a patch has been released you can turn DEP off. No I don't think so, once turned on , DEP can only be allowed to filter for various applications that you have to manually define.

    So the problem is only being further enhanced by poor security in these firms to begin with, something which we're all aware of now too..

    On another level, why are these companies using a browser getting on for 10 years old still, have they not heard of progress, yet they still try to foist their "new" version of their product onto me every 6 months. Whilst you are right to highlight the part played by IE6, maybe the focus should now switch to the security in place in these firms.?

    1. James Butler
      Thumb Down

      Seriously. Think?

      Sorry, but saying you "think" implies actual "thought". Or maybe "thinking" for you is synonymous with "regurgitating".

      Try "reading" THEN "thinking".

      The recent hacks were perpetrated by launching phishing expeditions against normal users in their own homes who were duped by the ruse into opening malicious links that used this MSIE ZERO-DAY EXPLOIT (and possibly others) to compromise those USERS' WINDOWS systems and gain access to their Gmail (and other account) credentials to be used as points of entry into the Google (and other companies) network.

      This was not a Google hack, or for that matter a hack on any of the other companies involved. This was a MSIE exploit, and as such was not something that Google or any of the other companies could defend against.


  10. Ken Hagan Gold badge

    "Highly sophisticated"

    Is it really? The source for Windows (and IE) is hardly *that* difficult to get hold of. (The Chinese were *given* it by Microsoft a few years ago.) Given the source, you could run LINT or similar tools over it and zero in on uninitialised pointer problems without no more effort than it takes to wade through the tool output. (Given the quality of the MS code I've seen, there could be quite a lot of that, but the task is fairly parallelisable, and China has lots of smart people.) Some individuals who enjoy the backing of the Chinese military probably know the codebase better than Microsoft's own developers, particularly the codebase of IE6 which remains a major target for attack but which has probably fallen off Microsoft's radar.

    The plain truth is that IE is just as "open source" as Firefox, at least to those who matter.

  11. Anonymous Coward


    time for a upgrade to LINUX me thinks....

    bugger, who's nicked all my ID and contents of all my offshore bank accounts...

  12. The Original Steve

    Worth remembering...

    That this only impacts users of Microsoft's 2001 OS platform.

    Out of the box Windows Vista and Windows 7 prevents this hole from being exploited through Microsoft's Trustworth Computing initive.

    Anyone using IE6 on Windows XP in 2010 deserve's for their 8 year old system to be pwned.

  13. Peter 39

    Do they use it? Some are forced to

    You can go back, and not very far back, through articles here to find the one about workers being disciplined for doing unauthorized upgrades of IE on their PCs from IE 6 to IE 7. IE 6 was the "blessed" one and no-one was to change that or, more particularly, challenge management.

    As a (very smart) manager of mine once said, "Sometimes you just need bodies hangin' from trees".

    1. Ken Hagan Gold badge

      Re: Some are forced to

      "As a (very smart) manager of mine once said, "Sometimes you just need bodies hangin' from trees"."

      Well you've got 34 bodies swinging now, but I don't suppose it will help if the very smart managers refuse to open their eyes.

      As the article points out, IE8 is considerably more resistant to this attack than its predecessors and that corporate intranet probably does work with it, but if you never bother to try it out then you'll never know. As I noted earlier, IE6 is basically an open source Trojan as far as the black hats are concerned, so just how smart a manager do you have to be to insist on keeping it?

  14. Anonymous Coward
    IT Angle


    Unfortunately plenty of companies use this junk software, and now we're seeing just how useful M$ is for international espionage.

  15. Anonymous Coward
    Paris Hilton

    Stupid, Lazy IT depts

    2003 - "Lets save some money. Lets build our enterprise, business critical application to run in IE 6. Isn't that neato? It is so much faster and cheaper than building a "real" application

    2006 - No, we can't upgrade to IE7, it will break all our stuff.

    2009 - No, we can't upgrade to IE8, it will break all our stuff.

    2010 - No, we can't use our stuff anymore, IE 6 compromised our entire system and broke everything!

    1. gollux
      IT Angle

      RE: Stupid, Lazy IT depts

      Installing IE 8 was a snap, Auto Updates and a WSUS server took care of that. So, given the update mechanisms in an Active Directory network, tell us how to keep FireFox updated so we don't have to run around logging in administrative accounts to do this.

      1. Martin Edwards


        I'm glad you've said this. Maybe if someone answers they can also tell me how to prevent users from changing preferences in Firefox. Because I've a feeling there isn't a nice Group Policy setting for that...

      2. Anonymous Coward
        Thumb Up

        deployment method

        @gollux - easy. deploy it as a virtual Application. eg sequence it in App-V

        1. gollux

          RE: deployment method

          Sounds like a way of adding more overhead, not just simply installing the update. And yet another server and yearly fee to Microsoft. I'll pass.

          1. James Butler
            Thumb Up

            So ...

            Use a Linux box for your browser's VM. There. Fixed it for ya.

  16. Prefect

    Video of the Aurora Exploit in Action

    Here is a video demonstrating the use of the Aurora exploit with IE 6.0:

  17. Steve 72


    if you use Windows, use one of these...

    Opera, Firefox, SeaMonkey, K-Meleon, Chrome, Safari...

  18. Beelzeebub

    Oohm, aah!

    Time to abandon this internet connected thingy. At least until the security model has been sorted anyway.


    1. Big-nosed Pengie


      But no cigar. It's time abandon this shite called Windows.

  19. Robinson
    Jobs Horns

    Pointing out the obvious.

    Guys/gals, can I point out the obvious? Exploits are found in IE because IE is the most popular browser out there. Do you seriously think FF, Chrome or Opera don't have similar and possibly worse security holes in them? Look at the percentages:

    Firefox use is increasing, but it's still better to try and exploit IE than anything else, especially as it's more common in corporate environments.

    1. Anonymous Coward

      exploits in closed source

      interesting that all these MS bugs can be found in such closed proprietary code.

      the code for Firefox is Open and available for ANYONE to read...'d think that in that case

      any random bug would be found pretty quickly and used by the bad guys.

    2. gollux

      We're getting a little tired of that old canard...

      so lets move on. Does nothing to help clean up the mess caused by failed implementation.

      Quote: Guys/gals, can I point out the obvious? Exploits are found in IE because IE is the most popular browser out there.

  20. Adrian Midgley 1

    NHS requires IE6 still

    The NHS Choose & Book system for queuing patients up to new referrals to hospital clinics requires IE6.

    It is written to use some Active X thing, so the existing central stuff won't work with anything but IE, but I am pretty certain that somewhere in the closed source of it there is a line saying

    If BrowserID != "IE6"

    blow raspberry


    It would be odd if it was only general practice that had this stuff imposed on it, I assume that appointment departments have the same interface.

    It wasn't my idea, and losing Crash & Burn would be no great loss for patients or professionals, but the NHS does seem to be hoist on a petard there.

  21. Mark Eaton-Park
    Thumb Down

    What I don't understand ..

    What I don't understand is why M$ is not having to pay the losses of the effected companies and individuals.

    M$ have been getting away with coding rubbish for years and now most people believe their BS that it is impossible for anyone to write code of any size that works.

    M$ clearly are unable to produce any stable finished products and have been selling products that are unfit for purpose, so why are they not ip in court?

  22. abigsmurf

    @Mark Eaton-Park

    Because making software companies liable for bugs in software is unbelievably stupid, especially in software offered for free. Would you like Mozilla to be bankrupted the next time a firefox bug is exploited?

    IE is attacked often because it's the most popular browser. It (IE8 at least) actually has much better protection against exploits than Firefox. If people actually had these enabled, this exploit wouldn't have been possible.

    Firefox has had bugs that have been left unpatched for long enough for an exploit to be potentially coded for it. However exploits are increasingly targetting plugins like flash and PDF. I've caught incredibly hard to remove viruses browsing with Firefox (doing nothing other than visiting a page). They even managed to get past my virus scanner (which only detected it once it was too late)

    1. Mark Eaton-Park
      Thumb Down

      There is a big difference between M$ and Mozilla

      That being cost, M$ charged for a finished product and like all the other M$ OS products in the past it is full of holes. Mozilla don't charge and if it doesn't work then you have lost nothing, if your data is damaged by malware that comes via a free product then it was a risk that you knowingly took.

      Take Vista/W7 as an example or windows NT/2000 they have the same story, MS take a load of fixes they should have released for free and sell them as a new product. The only stupid idea here is the one that makes people keep giving M$ money for a job they never finish.

    2. James Butler
      Thumb Down

      Calling BS

      MSIE is hacked most often because it is a direct line into the OS core, AND because it is is far easier to hack than the rest of them. Both reasons make it a very tempting target.

      Firefox hacks, that would be great for ... umm ... crashing Firefox. I suppose I could invest my time in writing hacks for Firefox in an attempt to exploit a buffer overflow, but that's so 2008.

      If I really want to take over a system remotely, I need a vector into that system's core, and MSIE provides just such a vector. It literally IS the shell. (Yeah yeah ... explorer.exe/iexplore.exe whatever. If you start rambling on about how MSIE is NOT the shell, you're clueless. Try not to embarrass yourself.)

  23. Red Bren

    @ Mark Eaton-Park & abigsmurf

    Perhaps there is some middle ground? Make companies liable for bugs in their software, but limit that liability to the licence cost. Open source and free software suppliers would have nothing to worry about. Microsoft would still face a hit as you must have a Windows licence to use their browser.

  24. Neal 5


    Even though you may be(read ARE) right, you'll win no friends speaking the truth on these pages. I'm afraid the Firefox and Linux brigade here, are like religious zealots. In fact it's probably best not to say anything too much at all, like the warmth of Heroin, these people believe that remote exploit code for Linux is but a myth, for the same feeling of all is well in the world that it gives them. Firefox being of course, the shared needle they all use.

    1. Displacement Activity

      @Neal 5

      Stats for my own website (admittedly a techie site):


      Firefox 44%

      IE 42% (IE6 52%, IE7 20%, IE8 28%)


      Windows 91.0%

      Linux 5.6%

      Mac 3.0%


      Browser/OS combined:

      IE/Windows 42%

      FF/Windows 38%


      This isn't a very long way from stats for general websites. So why are there far fewer reports of FF vulnerabilities? It's obviously not the numbers. It may just be that FF *is* more secure. It may also be, of course, that anyone who's got anything worth stealing is running IE6, but that's a different argument.

      And to state the obvious: the bad guys have the IE6 source, but the good guys don't. It will obviously be exploited, and the rest of use won't find out till the attack has happened. Everyone has the FF source, so there's a good chance that vulnerabilities will be fixed before they're exploited.

      1. Lionel Baden

        better site would be


        as you get such a large collection of people on there from all walks of life

        would like to know the browser stats for their site

        daytime evening differences too as people get home

    2. Anonymous Coward

      "religious zealots..."

      Really? And you are not just a Windows zealot? What strikes me is that time and again, we'll see an article stating facts about a security flaw in a given product and at some point someone will cry bias and that everyone is giving said product a hard time because they are zealots/fanbois of a competitor. Irony or stupidity? Honestly this "Windoze is teh best! No! CrApple is teh better! No Linux FTW" has got to stop.

    3. Anonymous Coward
      Anonymous Coward


      "I'm afraid the Firefox and Linux brigade here, are like religious zealots."

      Really? You're the one who froths at the pulpit every time there's an unfavourable MS story. Stop projecting your rabid fanzorpathology on to the rest of us please.

      And can you leave Dan alone now please. He's not interested. It's time you moved on. It's getting embarrassing.

  25. Ted Treen

    The only time...

    Microsoft will produce something that DOESN'T suck will be when they make a vacuum cleaner...

  26. Carcass

    DEP Breaks Most Remaining Reasons to Use IE

    The only reason to use IE in a corporate environment are legacy ActiveX controls. Unfortunately, DEP "breaks" many of those and a bunch of add-in's as well. Unfortunately, DEP is an "all or nothing" setting, you cannot selectively disable it for "trusted" or internal sites.

    I've been trying to push for Firefox at our company, and implement IE Tabs when we have no choice but to use IE. Since Firefox configuration can't be managed through GPO's, it has been a difficult sell to the guys that manage the workstations and AD.

    The quality and security of the computing experience seems to be nosediving as we plummet headlong into the "browser is the OS" mentality.

    Mine's the one with the application installation CD, that I can install and not worry about whatever goddam browser or plug-in revision I have. Bring back statically linked executables. You can keep all of your frameworks, dynamic libraries, shared objects, JVM's, Silverlight/Flash and 50 other ways to waste my time guessing whether my app will work or not. Get off my lawn.

    1. David Bond

      @Carcass - Firefox and group policies

      There is a version of firefox out that supports group policies. It comes with the required .adm. Its from front motion, they are usually 1 or 2 versions behind the latest release.

    2. lpopman

      titular something or other

      If fine grained tuning of DEP is impossible, could you tell me exactly how JIT compilers or even Dynamic Recompilers work around this "problem"?

      They execute data as a matter of course.......

  27. MacroRodent
    Thumb Down

    Re: DEP Breaks Most Remaining Reasons to Use IE

    "The only reason to use IE in a corporate environment are legacy ActiveX controls."

    Legacy? I wish it were! Corporate IT idiots still tend to push "web applications" that somehow depend on IE. If not DefectiveX, then some other nonstandard stuff that makes use with other browsers a less than satisfactory experience. And justify this by saying "INTERNET EXPLORER IS THE CORPORATE STANDARD BROWSER", if questioned. :-(

    1. Cameron Colley

      Indeed, hardly "legacy".

      The latest version of BES management console from RIM appears to only work in IE -- yes, that's right, one of the biggest smartphone providers on the planet employs idiots as coders or project managers.

  28. David 138

    For the love of God.

    Most people retarded enough to have IE6 still on their machines, will probably have an outdated version of FF as well. In an Enterprise enviroment its more secure as it can be updated from a central location, and patch status can be monitored centrally.

    Also free software is genrally free because you wouldnt pay for it. Its too cock handed, out of date, and useless at running apps to bother with. Thats why we use Windows.

    Lets face it using MAC is like using a crayon instead of a pen. And using Linux is like trying to sign your name with a high powered laser. Windows sits happily between them both, its like a biro its not great but we love it.

    1. Maliciously Crafted Packet

      Err... your kidding right?

      "Lets face it using MAC is like using a crayon instead of a pen."

      Wouldn't it be more accurate to say that using Windows gives ordinary folk an insight as to what it must be like to be autistic.

      Security is only the secondary reason why Windows must die. The main reason being that it is such a bloody awful awful interface. Most Windows users give up on trying to do anything beyond web browsing and email. Mac users by contrast use their computers for video/photo editing and other creative pursuits that average Joe Windows user has long given up on.

    2. Number6

      Like a biro

      Yes, you could liken Windows to a biro. Half the time you come to use it and find it's not working properly.

      As for the Mac, you can be sure that the crayon has been carefully contoured to enhance the user experience and it'll be available in a range of aesthetically-pleasing colours.

      Linux is more like a pencil - easy to remove mistakes and you can fix it when it breaks.

    3. Anonymous Coward

      Hows that?

      Surely every OS uses MAC? Media Access Control is an essential part of the modern networking stack, is it not? Or are you talking about the cosmetics company, in which case I guess that you are right! Trouble is, Davey Boy, it's not just about the enterprise, is it!? Oh, you mean OS X. No, it's about the same as using Windows or Linux you moron...

    4. James Dunmore

      Biro is spot on

      i.e. windows & a biro - never works when you need it to, only works half the time, randomly explodes on you, everyone in the office has one but is envious of the bloke with the posh pen (mac), or always working pencil (linux).

  29. Bilgepipe
    Gates Horns

    Just get rid of it

    Just dump IE altogether. Problem solved. Continually reanimating it with another coat of paint - much like Windows itself - just prolongs an already overlong death.

    Even Microsoft once said IE was finished, I tend to agree.

  30. Anonymous Coward
    Anonymous Coward

    Lock in

    If ever we need a example of why a browser should be simple and compliant then this is it. Most coporates use IE 6 and upgrading it is difficult with all the non-standard stuff that it does. I get really ****ed off when I heard some colleagues talking about using Silverlight. Even worse when they suggested it should be externally facing. While most people want nice websites this can be achieved by using current standards. Get rid of the extra stuff plug-ins etc and then the browsercan be independent of the application and OS.

    IT should be avoiding lock-in and IE is exactly the reason we need to avoid it.

  31. Neal 5

    @Displacement Activity

    I'm sure stats are pretty representative of all web sites available No issues with stats at all.

    Bear in mind of course % market share owned by "Windows" versus any other platform.

    Whilst not disputing the vulnerability in IE6, all the evidence points to the fact that both IE's 7 & 8, are more secure than IE6. Firefox whilst still a good browser is no more or less secure than any other browser, if you wanted to exploit FF code you could. Safari browser also operates under a closed code like IE, however is Safari more or less secure than IE any version? i think not, seeing as it has proved to be hackable in a tad under 10 seconds, and seeing as that too was in an article that Dan wrote, I'm sure he can confirm that for you.

    Also whilst the focus appears to be on 10 Yr old technology at the moment ie IE6, we're all overlooking some major points. The attack is also vectored by a malicious web site, social engineering and sloppy work practices. How the attack in the wild will vary is anyones guess. However I'm sure less gullible people than the leading tech officers at leading tech firms will fall for some scam one way or another.

    If they're still using an unpatched version of IE6 on a pre SP3 version on I would guess an unpatched XP os, and it appears at the moment that only 34 companies actually fit that bill.

  32. Robin 2

    IE6 = best of a bad bunch in 2001

    Stop bashing IE6 and it's lack of standards support. IE 6 is 9 years old. Something which seems to be forgotten by its critics (or maybe they were still spotty teenagers at that point). In 2001 there were no free standards compliant browsers. IE6 was a step up from from the other free browser at the time and the ink had barely dried on the standards documents of the time. However big enterprise saw the IE as a way internally standardising it's work across a common tool (IE6 - NOT HTML).

    Intranets were developed based on IE6 NOT because the IT bods at the time were incompetent, but because there was no better solution. Especially one which could be linked into existing the MS office infrastructure and/or developed in a largely wysiwyg fashion using Visual Studio. This is a key aspect. Well trained admin staff could and can hack something useful together using various MS tools - no need to pay external "IT consultants" 100 quid an hour to produce junk when you can get your admin staff to do it for free.

    So the fact that intranets were built on IE6 in 2001 is not stupid or irrational. It was logical at the time. And, the fact that these intranets still require IE6 in 2010 is likewise not stupid or irrational. Why fix something that works?

    No, IE6 is not lock in. Nor is the NHS (one of the worlds largest employers) stupid to still support it. The idiots are those who ignore it and pretend it doesn't exist or ridicule those still using it. Would you rather the NHS spent 1 billion upgrading it's systems to IE8 (or FF or Chrome or Opera or whoever) or 1 billion on hospital equipment? We develop sites mainly for the UK health care, charity and council sectors. The stats for most of our sites indicate 25% market share for IE6.

    1. Ross 7

      Kinda the point...

      "Intranets were developed based on IE6 NOT because the IT bods at the time were incompetent, but because there was no better solution"

      No, they were developed for IE6 because it was already built in to Win. That was MS's strategy (it worked!) and it's why the EU got annoyed. IE6 wasn't the best solution, but when your exec says "why do you want me to spend time and money getting another browser approved when there's one already there?" do you argue, or do you just go with the flow? Remember, it's not your neck on the line unless you force through another browser.

      Vendor lock in doesn't mean you can't move to another solution, just that it's expensive to do so. IE6 falls into that definition.

      As to "why fix something that works" - depends on your definition of works I guess. The solutions do what they say on the tin, but they also leave a gaping hole in your corporate security. Would you say that a corporate webserver that works (i.e. serves pages) but also gives unrestricted access to the coporate network doesn't need fixing?...

      1. Dale Richards


        IE6 was built into Windows, but seriously, what else would you have used in 2001?

        Firefox wasn't around then, and Opera was ad-riddled crapware. Safari didn't even exist on the Mac, let alone Windows. Netscape was dead in the water and Mozilla hadn't reached a stable release.

        I know we have a rich and competitive Windows browser market now, but this simply wasn't the case 9 years ago. As much as you'd like to deny it, IE6 really was the best solution back then.

        1. Robert Carnegie Silver badge

          @Dale Richards

          Opera's been a flexible, fast, standards compliant, multi page web browser since 1996 and Windows 3.1 and 95. But back then you had to buy your copy (shareware trial). Which I did. Between 2000-2005 you could have it free with advertisements displayed. Since then you can just have it free. You can have pages without graphics for speed until you press the magic button, and you can have over-wide pages zoomed or rearranged to fit your screen or window size. Microsoft's own web sites deliberately test whether a user is using Opera and then send ugly or broken web pages back. Really. Or, they used to; mostly Opera works well now even on Microsoft sites. Now Google I don't know about.

          If running advertising in software offends you, remember that you now have to hate and despise Microsoft Office as well. Its new version runs commercials too.

      2. Robin 2

        IE6 is not vendor lock in at the enterprise level

        My point re the intranets is to not think of IE6 as a web browser - but as a desktop app that can access an internal network in a standardised manner. As for the security issues. In the sort of organisation where it is forbidden/not possible to upgrade IE6 one would assume the network admins have locked it down with very high security settings as well as removed admin rights from local PCs and have firewalls in place and banned access to 99% of the web etc.

        Also,re vendor lock in and in-built browsers: what else would they have chosen in 2001?

        Remember: all browsers were essentially new at the time (I know they have been around since the early 90s, but I'm referring to them as a consumer product). So if your choice of product is going to have consequences 10 years down the line are you going to choose from something new from a young startup or are you going to choose something new from an established computer software giant? It's not MS's fault that companies like IBM, Sun or Oracle (ie companies big enough to be a good bet to be around in 2010) didn't bother to produce a web browser. I am sure there are plenty of intranets built on Oracle that are tied to IE6.

        I don't agree that IE6 was vendor lock in at the of the enterprise level. It is for the home user since they won't know the difference. But at the enterprise level? Sorry there was no other choice in 2001 and it was not due to vendor lock in.

  33. Tom 7

    @robin 2

    Not really familiar with computing in 2001 were you? MS yes, computing no. Netscape went free in 1998.

    MS went out of their way to ensure IE6 and its developers wouldn't follow standards. You couldn't open an HTML file on windows without it being polluted with MS'isms.

    1. Robin 2

      @Tom 7

      I think it's you who is lacking in familiarity.

      How was Netscape any better at standards compliance than IE6? We're talking about 2001, not 2003 or whenever Firefox came out. And we're talking about intranets not public websites. IE6 is still around because that's what many intranets are still geared towards, not because anyone (including MS) actually think it is a good browser.

      "MS went out of their way to ensure IE6 and its developers wouldn't follow standards."

      This was only true after 2001. MS went out of their way not to develop IE6. When it was released it was no worse really than the other browsers around at the time. MS also went out of their way to ensure that it was easy for existing MS based developers to build stuff into it. That is why it got such wide spread support at the enterprise level. A bit like Firefox's plugin architecture made it a hit with web developers.

  34. Danny 14
    Thumb Up

    not always sound advice

    We cant use opera/firefox here for two reasons. One, our MMS uses IE. Plain and simple. Two, GPOs dont really work for firefox and the buggers find ways around it. We whitelist applications installed to stop pocket browsers too. That being said, I do at least run IE8 (installed with GPO and IEAK rather than WSUS as we can then use mandatory profiles with generic installs and no nag screens).

    Still, its not hard and DOES seem to work.

  35. Neal 5

    @John Dee

    Sorry for upsetting you and/or your boyfriend. Perhaps when some reality enters into your imagination you'll be able to comment objectively.

    What started out as a story about Google wanting to exit China has drizzled out and down to a story about an IE6 previously unknown bug (which may or may not be news), into a story about a plain 'ol phishing attack, which happens everyday to countless numbers of people, only this time the victims were a bit more high profile.

    The only embarrassing thing occuring here is a) you outing, and b) the complete lack of background,knowledge and reporting ability shown by either yourself and /or your boyfriend.

    John, to put it simply, this story has been covered in one form or another countless times by the same author, and others and yet nothing changes, perhaps there's a moral there, or for you perhaps amoral there.

  36. Anonymous Coward

    The moral is obvious!

    "...this story has been covered in one form or another countless times by the same author, and others and yet nothing changes, perhaps there's a moral there, or for you perhaps amoral there." Yes, there is a moral. Microsoft should fix Internet Explorer. Simple really!

    You seem to be suggesting that Dan Goodin is anti-Microsoft. Seems to me that he reports largely on IT security issues. Since this whole story is about a security hole in a browser family that commands about 55% of the market share, your beloved Microsoft should be called on it! You'd be braying if this story was about Safari, Chrome or Firefox! You come across as a Microsoft zealot.

    What's really embarrassing is your puerile retort. The fact remains that there is published security floor and Microsoft seem to doing sweet Fanny Adams about it.

  37. Sureo

    Why keep using an old version of IE?

    When IE8 came out I updated my laptop right away. Next thing I know I am browsing the Microsoft Office website and the browser crashed. One or two more crashes and I went back to IE6, which works just fine. Noone needs this kind of aggravation.

    1. Ken Hagan Gold badge

      Re: Why keep using an old version of IE?

      So the fact that no-one else seems to have trouble browsing the office website didn't make you think "Maybe it isn't IE8 that is the problem."? You just twiddled a knob until the symptoms went away and investigated no further.

      That's fine for the proverbial grandmother, who is unlikely to find the real reason no matter how hard she looks, but it certainly isn't a legitimate reason for a corporate IT department to stick with IE6 and its many known risks. At the very least, they should be taking steps to block IE6 as a client for external web-sites, thereby forcing everyone to use a better browser for everyday work.

  38. Neal 5

    @anonymous coward 15.30

    The moral is obvious.

    Yes you are right. And to be fair hindsight is 100% perfect.

    No, infact, I don't bray, and unlike you I manage to read all the comments, not just jump on the ones I don't like, I know this, because you wouldn't make such a sweeping statement about me if you had read all the comments to start with.

    Yes, on a theme this story has been reported many times, a trojan attack against IE.

    This one esily defeated, already many AV combat this. The attack is simply an XORed trojan payload and .Gif. How many times has this been reported, in one form or another.

    In fact, I wouldn't be surprised if this didn't get patched by MS for a few months yet, AV, and any good Intrusion Protection software will stop this for a good long while yet.

    But that's hindsight, so I still stand by what I said, only I'll reitirate one more point, that I haven't for a while against Mr Dan Goodin, scaremonger in chief.

    FFS, let the story run without the sensationalistic crap that Dan gives it, it's not me alone who recognizes this shit for exactly what it is , pure shit, and boring at that.

    The news was Google got hacked, and that should have been the point and focus. IE6 is 10 years old technology, I'm surprised an elementary kid can't rip the guts out of it.

    Which brings me back to you Mr Anonymous Coward.

This topic is closed for new posts.

Other stories you might like