Microsoft Internet Explorer (IE) 6 continues to be popular at enterprises, despite being targeted in a number of high-profile attacks and the availability of a newer version with more robust security capabilities, according to a report by security service provider Zscaler Inc.
In a study of its client base, Zscaler said about half of Internet Explorer 6 users have failed to upgrade to a newer version, despite Microsoft's continued urging to upgrade the browser, which turns 9 years old in August. Mike Geide, a senior security researcher at Sunnyvale, Calif.-based Zscaler, said he was surprised to see the number of people still using the browser, despite IE6 security concerns.
"It's actually a little upsetting to see just how widely used [IE 6] is, given that it doesn't have the newer protection schemes that [IE7 and 8] have; specifically the Data Execution Prevention, Address Space Layout Randomization, and the utilization of known blocked lists," Geide said.
Zscaler recently released its "State of the Web Report," which covers data it has gathered on its client base from the fourth quarter of 2009. Geide said the continued use of IE6 at enterprises was troubling, especially since a vulnerability in IE6 was targeted by hackers in a series of attacks that successfully penetrated the corporate networks of Google and more than two dozen other companies.
IE 8 security improvements:
Internet Explorer 8 includes a bevy of security features: Experts praise the IE 8 security features, but say browser makers have a long way to go in preventing the browser from being a hacker's favorite mode of attack.
Microsoft IE 8 security only benefits educated users: New productivity and security features of Internet Explorer (IE) 8 might require end users get a lesson from IT staff before companies can fully benefit.
So why are a high percentage of Zscaler clients still using IE6? Geide said that customers are weary to upgrade to IE7 or 8 because many have not done necessary tests to see if their in-house Web applications would work in the newer browsers. The issue is a problem, Geide said, because it's just as important for organizations to ensure employees are using an updated browser, as it is to install the latest operating system patches.
Geide believes CISOs should consider getting their organization to upgrade to IE7 or 8 to gain better protection capabilities. In addition to a feature that blocks clickjacking attacks, Microsoft boosted AJAX rendering to improve secure coding and enable data execution prevention by default, a feature that blocks code that is marked non-executable from running in memory. The latest browser also includes other security features that protect against phishing and cross-site scripting (XSS) attacks.
"The fact that Microsoft is still supporting Internet Explorer 6, and hasn't 'end-of-lifed' it yet… that means they're still patching it," he said. "There may be cases where CIOs and other folks think that if they're running a version of IE6 that is fully patched that they're just as secure as some using IE8 that's fully patched, but that's just not the case."
A New Game for Hackers
Attackers have moved from seeking out vulnerable servers on the Web to targeting end users, Geide said. They are finding more success in targeting vulnerable Web applications. For example, attackers are uploading malicious code on content management tools, including Joomla and Wordpress so they can undermine the server and at the same time attack end-user machines.
"Now they have an army of bots that can do anything from steal financial transactions that are occurring on the end user's desk top or monetize the bots in some way," Geide said.
Attackers are also taking advantage of the increased use of social networking. Zscaler took a look at the top phishing IP addresses that plagued their customers.Coolxd.com, accounted for 70% of Zscaler's data. Coolxd spread primarily through instant messenger and email, and advertised that it provided a service that would allow users to IM photos to friends. Once a prospective user was lured to the Coolxd site and provided their IM or email credentials, the site would then steal buddy lists and contacts and advertise itself further. Coolxd.com has since been shut down, but its IP address has been linked to other phishing sites.