In a better world, the Chinese attack on Google and other companies would never happened. The assault targeted a nasty vulnerability in Microsoft’s Internet Explorer 6, a crufty old browser that should long since have been retired in favor of newer and more secure software. But no one can drive a stake through the heart of this vampire of the software world.
Use of IE 6, which entered the world along with Windows XP in 2001, has been steadily dropping, but a recent report by Net Applications still pegged it at over 20% of browser usage in December, 2009 (other reports put it in low double-digits.) It wouldn’t be so bad if most of those were PC’s used only by grandma to log in to AOL or half-forgotten computers that haven’t been updated in quite a while.
Alas, the use of IE 6 is greatest where the danger is most serious. A Gardner analysis from last spring found that IE 6 still accounted for a shocking 60% of enterprise use. So bad guys looking for vulnerabilities that could give them access to corporate secrets have plenty of targets.
The corporate fondness for IE 6 is both incomprehensible and easy to understand. Its early years corresponded to the explosive growth of customer corporate Web apps, and many enterprises succumbed to the siren song of ActiveX as a rapid development tool for those programs. When IE 7 came along in 2006, it broke many of the programs by design; they could not handle the badly needed tougher security model that Microsoft built into the new version.
Corporations were reluctant to spend the effort and funds needed to rewrite those Web apps, and matters only got worse when IT budgets came under extreme pressure in 2008. Even Microsoft telling users to move away from IE 6 is having only minimal impact because enterprises just don’t have an alternative. So they continue to inflict pain on their users–I have no idea of how I would work anymore with a browser that lacked tabs–and on themselves.
Fortunately, outside of the enterprise, IE 6 and its partner in crime, ActiveX, are disappearing. I was reminded of this when I installed the software for Research In Motion’s BlackBerry Presenter device (stay tuned for more on that) the RIM Web site rejected my use of Firefox because the installation uses an ActiveX tool. I was disappointed, but I also realized that except for some miserable McGraw-Hill corporate apps that I hadto use when I worked at BusinessWeek, it’s been quite a while since I ran into mandatory ActiveX.