IE 6 – 5 – 4 – 3 – 2 – 1

2001 was a memorable year for me. I started working at VirusBuster and thus officially joined the AV industry. I got my first cell phone. I bought my first car (a used one, but who cared?). I moved to a new apartment, which was largely due to the fact that my son had just been born. I also bought a new home PC. 2001 was also the year that Microsoft released Internet Explorer (IE) 6.

Over a decade has passed since then. My company has moved office twice. I have switched cell phone four times. I have replaced my home PC three times. I’ve moved to a new apartment, and I’ve applied several hotfixes and replaced the engine of my car.

Unlike all these other elements in my life, IE 6 has prevailed. On releasing IE 9 – three major versions away from our title piece – Microsoft launched a website [1] tracking the astonishingly high prevalence of this elderly web browser (according to data collected by Net Applications it accounted for 12% of the market share overall in February 2011). It’s not only that the overall prevalence of the browser is high, but the outlook is alarming when you consider the browser’s local prevalence in China, which peaks at 34.5%.

What could be behind this phenomenon? One would expect that in the 21st century – which is all about increasingly rapid change, especially in IT – users would upgrade their operating system (or at least the major applications) every few years. However, nothing could be further from the truth.

At the root of the problem is a combination of Windows XP and Windows Update. XP came with IE 6 preinstalled, and was a very successful operating system – more successful than its successor, and this is one major part of the problem. Although a fair number of IE updates were released, the XP service packs did not include the installers for them. One could install them with automatic update or by visiting the Windows Update website, but both of these required a genuine, non-pirated OS version, as with Windows XP came the debut of Windows Genuine Advantage. And herein lies the other part of the problem. The most popular operating system in China is Windows XP, with 81.8% of the market share. According to several sources, the software piracy rate in China is around 80%, so it is little surprise that over a third of web browsers (or operating systems) have not been upgraded. Manual download and installation of the updates is possible, but beyond the capabilities of most computer users. The situation is not helped by the fact that many websites in China are optimized for and tested only on IE 6, thus forcing users to stick with the old version.

Taking all these facts into consideration, I am afraid that IE 6 will not disappear any time soon. The target population must be served by enabling Internet Explorer upgrades (and critical OS vulnerability fixes) regardless of licence, or even by a final wrap-up installer of XP.

But is it really a problem we should care about? Why bother if one third of Chinese web browsers are as old as an entry-level single malt whisky?

According to Wikipedia [2], IE 6 has 473 publicly known unpatched vulnerabilities (i.e. these will never be fixed). All other versions and browsers have just 94 combined. In other words, IE 6 has five times more open vulnerabilities than all the other browsers put together. One other thing has also changed since 2001. Back then, the primary distribution media for malware was email. Nowadays, the primary intrusion media are drive-by exploits introduced during web browsing – and this is what makes using this dinosaur of a browser so dangerous. Failing to upgrade the browser leaves the most vulnerable entrance to the computing system the least protected.

Before you ask, my son is fine. He’s the only thing in my inventory list from 2001 that keeps improving.

Latest articles:

Bulletin Archive