Old and Insecure, IE6 Still Popular in the Enterprise

Conventional wisdom has it that Microsoft’s Internet Explorer Web browser is on the way out: succumbing to the death of thousand cuts administered by plucky rivals like Mozilla’s Firefox, Google’s Chrome and even Opera.

Conventional wisdom has it that Microsoft’s Internet Explorer Web browser is on the way out: succumbing to the death of thousand cuts administered by plucky rivals like Mozilla’s Firefox, Google’s Chrome and even Opera. But data from Web security firm zScaler shows that the Old Blue Lady of the Web is still a force among enterprise users and that IE6, the notoriously security plagued version, is the browser of choice for one in five employees.

The data, accumulated almost exclusively from corporate customers of hosted Web security firm zScaler, was published with the company’s State of the Web report for the second quarter, 2010. It provides a unique window on enterprise Web use. Enterprise users are far more likely to use Microsoft’s browsers than the population at large. Almost three quarters of the Web traffic the company monitors was viewed on versions of Internet Explorer, compared to estimates of around a 60% market share in the population at large, according to data compiled by Netapplications.com.

IE’s hold in the enterprise sadly extends even to the Internet Explorer Version 6 browser, which has been a font of toxic vulnerabilities since it was released in 2001. Slightly less than a quarter of user traffic monitored by zScaler in Q2 – 23% – was to IE6. The company claims to monitor the traffic of “millions” of enterprise users, but wasn’t able to provide a specific number.  

The continued prevalence of IE, and IE version 6, in particular, has been a common element in many high profile security incidents. Notably, the Google Aurora attacks at the end of 2009 relied, in part, on an exploit of a previously unknown IE vulnerability that permitted remote code execution on systems running Internet Explorer versions 6 and 7.

Internal applications that rely on IE 6 may have something to do with its staying power.

“Enterprises tend to be much more concerned about backward compatibility than security,” said Mike Sutton, Vice President of Security Research at zScaler. “They’re woried about not breaking that Web application they built five years ago.”

Other surveys of enterprise users have also pointed to the dismaying staying power of the almost decade old browser. A poll by industry publication Virus Bulletin in February found that 19 percent of respondents still used the browser, 15% of them at work. But zScaler’s numbers reveal even higher penetration.

But enterprises do appear to be getting savvy. IE6 use dropped nearly 10% in the first two quarters of 2010 and continues to decline. That may have to do with publicity around the Google Aurora hacks, as well as in the wild exploits of other critical, remotely exploitable vulnerabilities in IE6 and IE6 SP1. Sutton said most are migrating to the newer Internet Explorer Version 8, rather than to alternative browsers like Firefox or Chrome.  

That’s fine with Sutton, who said that Microsoft’s newer browser offers a wealth of security features that make it a safer choice than IE 6, including phishing site protection, malware blocking and address space layout randomization (ASLR) a feature that, while not perfect, makes it harder to carry out some kinds of memory-based attacks.

While the headlines may be about Microsoft’s declining dominance of the browser market, Sutton said that IE will continue to be the Web platform of choice in the enterprise for the forseeable future.

Suggested articles

Discussion

  • BizDPS on

    While there may be a percentage of organizations holding onto Internet Explorer 6 on Windows XP, how much of the IE6 traffic comes from Windows 2000 computers?  Win2k has no upgrade path from IE6.  Even looking at my own web logs, my site has hits from users running Windows 2000 with IE6.  Granted, enterprises should be replacing computers of that age, but for those that are still out there, it's what they're stuck with.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.