Despite sticking to its guns that the Google attack flaw in Internet Explorer 6 is limited in scope, Microsoft has promised to release an out-of-band security update to close the vulnerability in Internet Explorer 6. Out of band means that it will be released outside of the usual patch cycle.
“Based on our comprehensive monitoring of the threat landscape we continue to see very limited, and in some cases, targeted attacks,” Microsoft’s Security Response Center writes, “To date, the only successful attacks that we are aware of have been against Internet Explorer 6.” Microsoft advises to upgrade to IE 8, but a more obvious idea is to upgrade to a competing web browser, such as Firefox or Chrome.
“Given the significant level of attention this issue has generated, confusion about what customers can do to protect themselves and the escalating threat environment Microsoft will release a security update out-of-band for this vulnerability,” they further explain, “We take the decision to go out-of-band very seriously given the impact to customers, but we believe releasing an update out-of-band update is the right decision at this time.”
More details and a release schedule will be published tomorrow.
In the meantime, security company Vupen claims that it has developed a proof-of-concept remote code execution exploit using this vulnerability that works on systems with DEP enabled. This proof-of-concept cannot be tested, since it is only available to Vupen customers – and they are quite picky about their customers.
http://www.computerworld.com/s/article/9145958/Researchers_up_ante_…
Would anyone blame Microsoft for not updating IE6 anymore?
When is the official end of IE6 support scheduled if it is?
MS (like other OS vendors) supports the _whole_ OS in its release form for a certain number of year.
For XP that includes IE6 and AFAIK until 2014.
Edit: And there are still very large corps that depend on IE6 for certain custom apps. Sad but true.
Those customers are very important to MS and have a lot of lawyers that will make certain MS supports IE6 as long as they said out to do.
But even those could use Firefox for web browsing.
Edited 2010-01-20 01:28 UTC
Do you really think its a lawyer thing? I think the carrot of a consistant lucrative revenue stream is much more enticing for microsoft than the stick of lawyers. I mean these companies were dumb enough to tie their future to MS, those kind of customers you need to keep around to sell your next horrible product.
I stand by that statement.
Companies that wrote apps for IE 6 that would never work for any other browser were stupid.
I’m not just saying that with hindsight. I was working for companies that did this, told them it was stupid proposed solutions that were standard based and just as effective. They didn’t see it my way, I refused and wrote my stuff to work with ie and phoenix ( now firefox). Guess what, my app still works. My coworkers …. they had to rewrite due to the owner’s demand for mac compatibility (safari).
So in other words, you co-workers got to keep their jobs, while you made yourself expendable.
(eh, sorry. excuse the cynic in me…)
Funny, but not true. Think about their performance reviews:
Manager: ” Your project had to be completely redone.”
Employee: ” Yes because you told me to write it for IE”
Manager: ” Bill’s project of a similar scope works for IE and it still works for Safari.”
Employee: “You told me to focus on IE and to NOT make it compatible for anything else.”
Manager: ” I never told you to make it so you’d have to rewrite it. That’s your mistake. Bill will be in charge of designing the replacement. ”
And that’s pretty much how I ended up in charge there.
It seems illogical, but you keep your job by always making yourself ‘expendable’. The easier you make your job for a monkey to do, the more likely your position will be filled by a monkey. Where does that move you in a manager’s eye? Up!
You’re looking at it in a zero growth company. If there is nothing to be done IT wise other than maintenance, you might have a point. If you are in a high growth company with lots of work, you’re dead wrong.
I thought it was a bad idea at the time as well and was shocked by how common it was. I didn’t trust IE6 to surf the web without crashing and yet all these companies were tying it to their intranet apps.
But that’s only half the problem. There’s also the problem of companies not wanting to spend a dime on upgrading their workstations. They need to be banned from websites or at least nagged with the IE6Update script.
http://ie6update.com/
“Microsoft advises to upgrade to IE 8”
More accurately, hey advise upgrading operating systems and hardware, so that you can install and run IE 8. They just do so by not making IE7 or IE8 work in anything remotely old.
OTOH, I’ve been running other browsers for a long time, anyway.
Out of band means that it will be released outside of the usual patch cycle.
They have a strange use for “out of band”. From here: http://en.wikipedia.org/wiki/Out-of-band
In general language, “out-of-band” refers to communications which occur outside of a previously established communication method or channel.
They are using the usual communication channels, so this could be called out-of-sync with the usual patch schedule or something, but not out-of-band.
Unless you consider the timing as part of their “method”. In which case, supplying the update at a different time is “out of band”.