One of the most frequently repeated pieces of advice on this site is – “Keep all applications (including your operating system) patched, and up to date”. Sounds like good, practical advice – and it is. But as those of us involved in computer security know; this is advice that is not always followed.
Up to a point, I can understand why an occasional user might not be as careful when it comes to following this advice, as a more seasoned user. But what I will never understand is – why a company (of any size), or a government agency, would not recognize the critical need to follow this advice.
We’re all familiar with this statement – “Microsoft issues security advisory on IE vulnerability.” I’m not picking on Microsoft, since experience has taught us that every Browser can be compromised by cybercriminals. And current statistics indicate, Internet Explorer 8 may, in fact, be the “safest” Browser – at least for the moment. Some may dispute this, and that’s fair enough, since many of the metrics used to measure Browser safety are highly variable.
What’s beyond dispute though, is the continued use of Internet Explorer 6 delivers an invitation to the cybercriminal world to play havoc on computer systems.
Internet Explorer 6 has been referred to, in addition to many other flavorful descriptions, as “the least secure software on the planet” and “the worst tech product of all time”.
So, I find it difficult to understand why an 8 year old Browser, (it was released in August, 2001, shortly after the completion of Windows XP), with an horrendous reputation for system safety, continues to be used by any reasonably informed user. But it is being used – and you might be surprised to learn, just who it is that continues to use it.
As a serious Blogger, I use a number of tools including StatCounter, which allows me to listen to my readers, and to determine what it is they need – what they want to read, and what’s important to them. One of the information metrics produced by StatCounter is information on the Browser used by the reader, along with the Host name and location.
In the following example, (December 4, 2009), 2 visits are from a business, and one visit is from a bank – both using using IE 6. Host address is not included here for privacy reasons.
Just to be clear – the following Browsers (in order of preference), are used to reach this site:
Safari 3.1 through 4.0
*Internet Explorer 6
Various flavors of the Mozilla Browser
What I find surprising in these statistics is, the continued use of Internet Explorer 6. Even more surprising though is, who’s still using this outdated and incredibly insecure Browser – many U.S. Government sites (including some Defense Department sites), and some very well know commercial enterprises. There are of course, some non-commercial users in this IE 6 group – but not many.
To put this in perspective – approximately 25% of the 3,000 (+ or -), daily visits to this site, are from Universities/Colleges, Government agencies (local and national), Business, and Law Enforcement Agencies (local and national), and roughly 15% of these business and government visitors are still using Internet Explorer 6.
I have yet to see an educational institution, or a law enforcement agency, visiting this site, still using IE 6. But 15%+ of business and government visitors are still using this Browse despite the increased security risk doing so creates.
In January of this year, security advisory site Secunia reported 142 vulnerabilities in Internet Explorer 6 – 22 of which were unpatched at that time. Many of these vulnerabilities were rated moderately critical in severity.
Even today (December 5, 2009), Secunia’s advisory affecting Microsoft Internet Explorer 6.x, with all vendor patches applied, still rates this application’s security vulnerabilities as “Highly critical”.
So here’s my question: With the increasing sophistication of cybercriminals, particularly in cybercrimes directed at business and government, (and we know that cybercriminals are currently targeting small and medium sized businesses), why would a business or government agency continue to use Internet Explorer 6?
It would definitely impact my decision as to whether to do business with a particular organization (holding my confidential information), if I was aware that business still employed Internet Explorer 6.
This is not a scientific survey of Internet Explorer 6 usage in business, or government, and I’m aware of the lack of applied methodology. Nevertheless, anecdotal evidence is often reasonably representative of reality, and in this case, I believe it is, since I’ve been watching IE 6 usage here for over a year.
If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.