Google’s social network Orkut reportedly plans to phase out support for Internet Explorer 6, igniting a long-simmering debate over continued use of the 8-year-old version of the browser. The current version is IE8.
Microsoft intends to maintain support for IE6 in conjunction with its support for Windows XP — the OS that originally delivered it. Extended support for XP is scheduled to end in 2014.
“As engineers, we want people to upgrade to the latest version,” wrote Microsoft IE8 product manager Dean Hachamovitch in a recent IEblog post. “We make it as easy as possible for them to upgrade. Ultimately, thechoice to upgrade belongs to the person responsible for the PC.”
Not the Least Insecure?
IE6 is still the choice of a significant portion of the computer-using community; however, many developers have come to loathe it.
“As any Web developer will tell you, working with IE 6 is one of the most difficult and frustrating things they have to deal with on a daily basis, taking up a disproportionate amount of their time,”states the Web site IE6NoMore. “Beyond that, IE 6’s support for modern web standards is very lacking, restricting what developers can create and holding the web back.”
One of the arguments to retire IE6 is that it is insecure, but Tyler Reguly, senior securityengineer for nCircle, begged to differ.
“IE6 is maintained just as frequently as IE7 and IE8,” he told TechNewsWorld. “It receives regular security updates. It may not receive some of the fancy features that increase security, but lack of increased security doesn’t mean insecure.”
Yet that doesn’t mean it’s the safest browser out there, either, suggested Michael Sutton, VP of security research at Zscaler.
“While the product has not yet reached an official end of life and is still receiving security patches, it lacks numerous enhancements to security functionality which were introduced in Internet Explorer 7and 8,” he told TechNewsWorld.
“Such enhancements include malicious content filters, cross-site scripting detection, and the way thatActiveX controls are handled,” said Sutton. “Any company retaining Internet Explorer 6 for compatibility reasons is substantially lowering the bar for end-user security within their organization.”
The IE6 controversy extends beyond the developer community to Web 2.0 circles, noted Reguly.
“For a time, #IE6MustDie was one of the most popular hash tags on Twitter,” he said. “This crowd would like to see IE6 gone for a number of reasons, but most of them are not related to security — rather to interoperability.”
In other Internet Explorer news, Microsoft included in its latestPatch Tuesday update a feature that explicitly allows users to choose either Internet Explorer 8 or a competing browser as their default preference.
The browser-preference patch appears to be a response to antitrust regulatory actions on both sides of the Atlantic. Previously, users had to access custom settings if they wanted to opt for a browser other than Microsoft’s IE.
There are also five critical vulnerabilities addressed in the release, some of which could give hackers the ability to remotely execute malicious code.
“This patch is all over the place with a wide spectrum of attack vectors,” Eric Schultze, CTO of Shavlik Technologies, told TechNewsWorld. “It should make hackers very happy.”
Client side vulnerabilities continue to dominate, with the majority of the patches aimed directly at the client — and no signs of ActiveX vulnerabilities slowing down, Sheldon Malm, senior director ofsecurity strategy at Rapid7, told TechNewsWorld.
“With the ongoing ATL (Active Template Library) problem, who knows how many distributed clientapplications are out there waiting to be hit?” Malm wondered. “This isn’t the last of the ATL issues by a long shot.”