|
Written by David Torre
|
Internet Explorer 6 End of Life Explained
As with any major upgrade, some organizations will opt to make the big leap before others. Whether your company is well into its exodus from IE6 or plans on clinging for dear life until the final hour, knowing when Microsoft will officially stop supplying support and patches for the product is vital in planning your IE6 exit strategy.
From a support perspective, Microsoft views Internet Explorer not as a standalone application, but rather as an operating system component. As such, the IE6 support lifecycle is inherited directly from the operating system it shipped with. In other words, IE6 support ends when the underlying operating system reaches end-of-life. As Vista and Windows 7 ship with IE7 and IE8 respectively, this leaves us with Windows XP. Per the Microsoft Product Lifecycle page, Windows XP (and ultimately IE6) support shall cease on April 8th, 2014. If there is a definitive date for enterprises to be fully weaned off of the legacy browser, let the countdown to April 8th 2014 begin.
After almost a decade of service, IE6 continues to dominate corporate desktops and remains the only supported browser for many mission-critical internal applications. But as PC manufacturers finally halt the shipment of Windows XP and IE6, IT organizations must face upgrading web-based applications to be IE7+ compatible, or hold the entire organization back on the XP/IE6 platform. Such decisions often bring about battles of apocalyptic proportion between help desks, applications divisions, and security departments. So what's all the fuss about? Why not just upgrade the desktops and move on?
IE6 Legacy Applications: The Chains the Bind Us
Upgrading client workstations isn't as easy as it sounds. You've got Windows 7 which ships with Internet Explorer 8 by default, and downgrading to IE6 simply isn't a (supported) option. If internal applications are dependent upon IE6 browser functionality or controls, then obviously the web application itself must be upgraded to either support newer versions of Internet Explorer, or embrace open standards as to support browsers such as Firefox which can then play in the sandbox as well.
So herein lies the problem: upgrade your major web-based application such as an ERP module, supply chain component, or CRM system for no apparently business reason tied to the application itself. That is, your upgrade is for the "greater good" of the overall IT microcosm; allowing end-users to take advantage of modern hardware and newer operating system functionality. Unless your CFO is an Uber-Utopian Zen master, you've got some challenges ahead.
If it Ain't Broke, Fix It
It tight economic times, it's difficult to justify exorbitant expenditures with seemingly slim return on investment. So why pay a ton of cash to upgrade a web application that is already functioning just fine? The answer is simple: to enable the rest of the organization to move on with modern web browsers and the operating systems they are bound to. Consequently, those in favor of IE and Windows upgrades shell hesitant decision makers with a virtual barrage of technical artillery using arguments pertaining to productivity, compatibility, and of course, information security.
Once the security card is pulled, the time comes to qualify said risks and quantify them in ways which management can easily digest. Therefore, information security professionals must take a neutral, yet holistic stance on evaluating IE6 risks; looking not only at the traditional information security risks, but general risks to overall business functions as well.
The Facts on IE6 Security Risks
It’s no secret that IE6 has endured its fair share of bad press due to countless security vulnerabilities. But from the perspective of the technology manager tasked with the decision of spending potentially significant sums of money to upgrade, how does one truly quantify the risks associated with keeping IE6 on enterprise desktops? Sadly, that depends on who you ask. Security analysts often cite the sheer number of IE6 vulnerabilities, comparing the numbers to browsers which have been in existence for a fraction IE6’s venerable lifespan. It’s only natural for a browser with an elongated lifecycle to have more security issues, and cost-conscious technology leaders are likely to agree.
Perhaps a more convincing argument is the amount of time it takes for Microsoft to develop, test, and deploy patches for known IE6 vulnerabilities. When compared to Firefox or Safari, IE6 has been criticized for prolonging patch releases, leaving customers exposed to threats for extended periods of time. While disconcerting to information security professionals, CFOs often have difficulty understanding the intricacies of patch lifecycles when the vendor (Microsoft) is ultimately delivering a solution to problem. Sure, it isn’t optimal, but still not convincing enough to start cutting checks for upgrades.
Possibly the most compelling information security risk associated with continued use of IE6 pertains to the number of unpatched vulnerabilities. As the name implies, unpatched vulnerabilities have no known solution, and present perpetual risk until a resolution or workaround is found. At the time of this writing, the number of unpatched IE6 vulnerabilities is staggering:
Web browser software is controlled directly by end-users, and (obviously) interfaces with Internet sites—some friendly; others not so much. Not coincidentally, the web browser presents a tantalizing attack surface for hackers, and targeting a browser with known vulnerabilities radically increases the likelihood of a breach, as major firms such as Google and Adobe recently found out the hard way.
Business Risks Associated with IE6
Of course, not all risks associated with IE6 use are information security-specific. The cost/benefit analysis of IE6 retainment may now be hitting the point of diminishing returns, as IT departments are finding out that supporting the legacy browser actually necessitates the spending of funds. From paying developers for additional hours to code for the legacy browser, to harder to quantify expenses such as preventing the entire organization from embracing Windows 7 and the powerful 64-bit hardware which accompanies it. Keeping IE6 around will undoubtedly bring political issues to IT’s doorstep as well. Many high-profile Internet sites such as Google, Salesforce.com, and other Web 2.0-centric sites have dropped support for IE6 completely, leaving enterprise users dysfunctional or operating in cumbersome dual-browser modes.
Lessons Learned with IE6
Having analyzed the pros and cons of IE6 retainment versus upgrade, one can't help but ask: how did we get here in the first place? How does a web browser hold back entire operating system rollouts, or compel IT departments to spend considerable dollars on internal web application upgrades?
Reasons for prolonged reliance on IE6 may be numerous, but perhaps the most notable is that of dependency on proprietary functionality. The web was designed to embrace open standards and heterogeneous equipment. Somewhere along the line, the allure of IE-specific features such ActiveX controls and integrated Windows authentication may have lead us astray down a lonely path of incompatibility with our modern surroundings. Needless to say, those tasked with upgrading internal applications currently dependent upon IE6 functionality may wish to evaluate future replacements against overall adherence to open standards as to avoid any future proprietary browser dependencies. |
|
Last Updated on Friday, 16 April 2010 09:16 |
Add comment
|
|
Feed Entries 
White Papers 
