IE6, Time to say goodbye?

Discussion in 'Windows Small Business Server' started by Joe#2, Jan 23, 2010.

  1. Joe#2

    Joe#2 Guest

    An article in the Wall Street Journal on 1-22-2010 titled "Microsoft
    Scrambles To Patch Browser" states the the Goverment of France and Germany
    publicaly announced that internet users not use IE, that users switch to a
    competing software until Microsoft issues a security patch. (The patch was
    resleased this week)

    To read the article go to :
    http://online.wsj.com/article/SB20001424052748703405704575015421102972994.html

    The following is a quote from the article and includes a comment from
    Microsoft:

    "The current security hole in Internet Explorer also highlights how
    difficult it is, in practice, to persuade Web users to change their habits.
    While all versions of Internet Explorer contain the vulnerability, Microsoft
    said it can only be exploited effectively in Internet Explorer 6, a version
    of the browser that came out more than eight years ago.

    Still, Internet Explorer 6 remains the most popular browser version,
    accounting for just under 21% of traffic to Web sites, slightly ahead of
    Microsoft's more-secure Internet Explorer 8, according to researchers at Net
    Applications."

    I posted a question [ IE6 vs IE& vs IE8 on SBS ] to this forum a last May
    about using IE6 and a lot of good comments resulted.


    I'm beginning to wonder if it is time to go to IE8 on the server. Personally
    I've been hassed several times by IE8, and have gotten to the point when I do
    install it on a desktop I don't elect a lot of the features it offers. Some
    say it is a problem with W2003, but isn't it standard in W2008? Is the server
    download different than the desktop download?

    Looking forward to your input.

    Joe
     
    Joe#2, Jan 23, 2010
    #1
    1. Advertisements

  2. Joe#2

    Joe#2 Guest

    Sorry, If you want to read the whose article Google "Microsoft Scrambles To
    Patch Browser " and use their link to the Wall Street Journal article.
     
    Joe#2, Jan 23, 2010
    #2
    1. Advertisements

  3. As I'm sure many posted before if you brought it up in May, don't browse
    from the server. Ever. Not even once.

    Even though the flaw seems to only be *exploitable* in IE6, it still
    requires visiting a malicious website. And how do you get to a website with
    the malicious code? By visiting sites you found via Google, or a forum, or
    something similar. So if you aren't browsing on the server then you aren't
    at risk, even with IE6. Problem averted.

    -Cliff
     
    Cliff Galiher - MVP, Jan 23, 2010
    #3
  4. I'm kind of with Cliff on this
    From the server the only sites I visit is Microsoft Download
    Sun Micro for Java
    and Where the AV is Downloaded
    (And any vendor sites like Drivers)

    I don't do any "surfing" from the clients server.
    (That's why I have my laptop with security set to max)
    And I tell my clients to NEVER surf from the server.
    (Remember a server is a server not a work station.)

    Although the question is interesting...

    To me this is like asking if the toilet paper should roll from the bottom or
    top.
    and individual thing!

    However we all know that TP must roll from the Top.. :) Duh!
    Russ

    --
    Russell Grover - SBITS.Biz [SBS-MVP]
    Microsoft Gold Certified Partner
    Microsoft Certified Small Business Specialist
    24hr SBS Remote Support - http://www.SBITS.Biz
    Microsoft Online Services - http://www.microsoft-online-services.com


     
    Russ SBITS.Biz [SBS-MVP], Jan 23, 2010
    #4
  5. I don't know about that. Some others in the household will put the roll in
    backwards, but to them it's correct. :)

    But I agree, I don't use my customer servers to browse. I will use my own
    laptop while remoted into the server, such as when researching an issue,
    then finding something relevant (such as a download fix, or code to copy,
    etc), I'll copy/paste the URL to the RDP session to grab it.

    I also do update my all servers to IE8. I may be wrong, and I haven't
    researched this, but I believe there's other functionality and security
    features that are introduced into the OS with installing the newer browsers.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Jan 23, 2010
    #5
  6. Okay, I feel strongly enough about this that I need to actually fully
    explain my position here. This will probably be a long post, but...I
    hope...well worth the time to read.

    To understand "the google hack" and its risks, let me start by establishing
    a timeline, but I'll do so by working backwards. First, we know that the
    bug was made public in mid-January. But as news has trickled out about
    this, we now have learned that Google saw their servers being probed for
    information about "Chinese dissidents" in early December. Now keep that in
    mind! For google to get probed, it means that an admin password had already
    been disclosed by the bug, and that the infection rate was already high
    enough for this to have occurred. That means that the bug has *probaby*
    been exploited since *at least* November if not earlier. After all, it
    takes some time for these exploits to get out, spread across enough sites
    that random visits will load it, and for it to reach a "critical mass."
    Based on the number of infections reported, I'd guess it has been in the
    wild for a few months.

    Now for my speculation. Do I believe two people can independently find the
    same bug? Yes, I do. We've seen it before. But this wasn't a *new* bug.
    It wasn't introduced with a patch. It has been around for 8 years. So what
    are the chances that two people find the same 8-year old bug so close
    together that MS was *already* planning a February patch when the bug was
    exploited by the second party? I don't believe in coincidences. I do
    believe that humans are flawed creatures and a moment of weakness and greed
    from one lowly intern can result in a privately disclosed flaw being sold to
    an unscrupulous party willing to pay for and use it. If I'm right then this
    bug was in the hands of hackers in August when the bug was discovered. It
    is a trivial flaw, so it could've been weaponized and the code sprayed on
    forums starting from that point.

    If I'm right then this flaw has been on random websites for 6 months. If
    I'm wrong then it has been out for approximately 3 months. That is still a
    nice sized window for machines to get infected.

    Now let's look at the flaw itself. MS has said it exists in IE6, 7, *and*
    8. Most of the reported infections are XP with IE6. But that is because
    most of the *computers* in the world still run XP. If a 2003 server running
    IE8 gets infected, statistically that is still very low and won't get
    reported in the general news-stream. Microsoft has gone through great pains
    to document what circumstances can help mitigate the attack. DEP helps.
    But particularly in SBS land, there are older servers that don't support DEP
    still in production. After a company has spent money on storage and
    networking, they will, more often than not, go with a budget processor to
    save a little money. In 2006 that meant it was still server class; fast and
    reliable, Xeon with a good amount of cache to keep speeds up, but without
    64-bit support (not needed with an SBS 2003 installation) and no
    virtualization or DEP support either. No DEP? IE8 is just as vulnerable as
    IE6. So upgrading the browser offers *no* protection in this instance.

    Secondly is the "Enhanced Security Configuration" of IE on a server. If you
    even hit "known" sites like the MS download site, or Sun for Java, chances
    are you've turned off ESC though. It gets in the way. ....and it removed a
    barrier that MS has said protects against this attack. Another reason to
    not browse from the server, even to "known" sites. It makes you lazy, makes
    you disable things that are better left enabled, and puts your server at
    risk.

    Which brings me to my final point. How do you know you can trust those
    sites? I recall when the Linksys homepage had "trending support topics" on
    their homepage. It was obviously a server-side snippet that would pull bits
    of conversation from their forums that were seeing high response volumes and
    post a few lines. Since most forums are database driven, it is an easy
    thing to implement. And if one of those responses had a snippet of
    javascript that exploited this code? Just visiting a known site could
    *still* get you infected. Banner ads are another great infection point, and
    how many 3rd-party vendors have banner ads on their sites?

    And if we are going to be completely honest, if you are on the server to
    install a driver, chances are you were browsing as an Administrator. You
    weren't going to log in as a standard user, download the driver, log out,
    log in as Administrator, install, and log back out *again* were you? So now
    we have a situation where there was "browsing" (even in a limited sense)
    with full *domain* administrator privileges, from a server with *no*
    protection (DEP nor ESC) in the name of convenience, with an exploit that
    has been in the wild for *months* without getting noticed. Tell me that
    isn't a recipe for disaster?

    I have said it before and I'll say it again. If I want to download something
    from MS or Sun, I'll do so from a laptop and save it to a file-share so I
    can access *just* the executable from the server. Windows Update is the
    obvious exception, but that is not by choice. That is purely the decision
    of MS to make the update process web-based in XP and 2003 thus making it
    unavoidable in those OS's.

    In short? I cannot think of *any* reason to use the browser on a server.
    Thus I don't need Flash or Silverlight. I only need Java if a 3rd-party app
    uses it for non-browser code (there are certainly a few.) And the browser
    window only gets opened when an app does so (windows update, Sharepoint
    Central Administration, etc.) That also means, that unlike most people, the
    servers I'm responsible for still have ESC enabled most of the time.

    ....

    I will agree with Ace though that there are other DLLs that the OS uses from
    IE (for MMC rendering, etc) that make updating the browser itself a
    worthwhile exercise. Although I usually don't jump to the newest browser
    until I know that some of the 3rd party apps that *also* use the IE engine
    have also been updated so rendering errors don't cause more headache than
    they are worth.

    So, is it time to say good-bye to IE6? It certainly won't hurt anything.
    But is that the solution to this latest threat? Not in the least. We need
    to change our habits, not our browsers.

    -Cliff


     
    Cliff Galiher - MVP, Jan 23, 2010
    #6
  7. MS officially knew about the bug since September.
     
    Susan Bradley, Jan 23, 2010
    #7
  8. Joe#2

    Joe#2 Guest

    I'm in full agreement about surfing on the server. After reading many of the
    past messages on this subject, I just don't hardly almost never succumb to
    that temptation. I have restricted it to essential only. Quite frankly I'm
    almost getting paranoid though about everything.

    Which brings me back around to IE8. Is it a more secure browser ro not? Does
    it have protection builtin that inherantly raises the level or your server.
    Also, again is the version on W2008 in anyway different other than ESP being
    on?

     
    Joe#2, Jan 23, 2010
    #8
  9. Just because IE8 had this flaw doesn't mean it is as insecure as IE6. Think
    of IE (or any browser that has been around awhile) as that old 1800's
    mansion that almost every town on the east coast has. Chances are that over
    the years, owners have installed burglar alarms, motion detectors, and
    have...generally...upgraded security on the premises. But there is always
    the chance that an old coal shaft got boarded up in 1927 and nobody knew
    about it, forgot about it, or for whatever reason it was an oversight. If
    someone were to discover that shaft, they could get into the house
    undetected.

    That is what happened here. IE8 is more secure than IE7 and IE6.
    Independent security testers have universally shown this to be true. Note
    that I'm only comparing IE8 to previous versions of IE. I am not saying
    that IE8 is more or less secure than other *competing* browsers...as that is
    not the point of this subject. IE8 is more secure. Is there something
    "special" about IE8 on Win2k8 though? Nope. This bug could get IE8 on XP,
    Vista, and Win2k8.

    The reason this seemed to get IE6 on XP though is because those are the
    oldest and most popular machines running. It is more likely that a machine
    capable of running Vista or Win2k8 is also new enough to have a DEP-capable
    processor. And as I already covered, DEP is a mitigating factor. So in
    that regard, it isn't that IE8 is different, but the underlying "stuff" is
    different, and thus also adds some security (unless you went and disabled
    DEP and/or ESC.) But again, just in regards to THIS attack, good practices
    like not browsing from the server would have helped protect your server
    regardless of browser version, and bad practices would have exposed you. So
    yes, IE8 is a worthwhile improvement *IF* it doesn't break other things
    (which it could! so testing is essential!!!) but it isn't the silver bullet
    to give you reign to start doing things that you ought not do on a server.

    -Cliff


     
    Cliff Galiher - MVP, Jan 23, 2010
    #9
  10. Right. Perhaps I should have been more explicit. The bug has been around
    for 8 years, has been known to the Israeli company that found it since
    August, and to Microsoft since September. How long actual exploit code has
    existed to take advantage of the bug is unknown, but certainly since *at
    least* December. That leaves at least a 4-month window of an unknown
    existence....if not longer. It is possible, albeit I think unlikely, than
    unscrupulous hacker really did discover this bug independently several years
    ago and has been slowly poisonig blogs and forums. That'd make the exploit
    "in the wild" even longer than MS knew about it. Unlikely, as I said, but
    possible I suppose. Regardless, there is easily a few months where this
    exploit *was* known, was not blocked or patched, and that AV software was
    completely unaware. That is actually a large window if a person is in the
    habit of browsing from their server.

    -Cliff


     
    Cliff Galiher - MVP, Jan 23, 2010
    #10

  11. Cliff, excellent write-up. Point taken. It makes sense to refrain using a
    server and (in my case), download it to my laptop, and ftp it back to the
    customer site, as a best practice moving forward.

    Ace
     
    Ace Fekay [MVP-DS, MCT], Jan 24, 2010
    #11
  12. Joe#2

    M. Murphy Guest

    I was under the impression that upgrading the browser from IE6 broke some of
    the wizards in SBS 2003 -
    On my 1st install (out of the 3 installs) I immeadiatly upgraded to IE7
    (newest at the time) and could not continue because some of the wizards (I
    can't remember which) did not work. I assumed it was the browser upgrade,
    but apparently I was wrong. I blew that install away and re-installed, and
    kept the server at IE6 ever since.

    So can I upgrade the server to IE8 without breaking anything?
    Has it caused any wizard issues that you are aware of, Ace? Maybe my
    install back then was screwed up before I did the upgrade.
    I understand not to browse from it, but at least then I can get rid of the
    offers to upgrade from WSUS that I have been ignoring for the past 2 or so
    years.

     
    M. Murphy, Jan 25, 2010
    #12
  13. As long as you are installing *all* SBS updates, you can upgrade IE as well.
    It doesn't break anything internally on SBS. It *may* break 3rd-party apps
    however. Some older apps, in particular, may not like the newer IE
    renderers and this can cause problems. So backup, backup, backup, and test.

    -Cliff


     
    Cliff Galiher - MVP, Jan 25, 2010
    #13
  14. You may as well switch to IE8 for everything at this point unless
    you have an application that explicitly states that it is not compatible
    with IE8. That will keep you relatively safe from accusations of negligence;
    what more can one do? Get it on the server, get it on all your workstations.
    It's the only way to cover yourself.

    That said, the problem is not the browser or the operating system.
    It's the whole concept that outsiders can reprogram your computer,
    regardless of the reason. That is what has to end if Internet is to continue
    to exist in any usable form. Constant updating is a plague on software and
    Internet and it is not sustainable in the long run. The answer to bad code
    and bad updates seems to be more bad code and more bad updates. Microsoft is
    still finding buffer overrun vulnerabilities in its code after all these
    years-- will it ever end? No.

    I think eventually everything will come around to the concept of a
    dumb terminal-- something that no one can reprogram. I also think that
    updates are nothing more than a crutch for software developers who can't get
    it right the first time-- or the second time-- or even the 98th time. The
    only hope for computing is to get off the updating merry-go-round once and
    for all. You buy a piece of software and you use it out of the box-- or
    maybe you buy a whole computer and use it exactly as it was delivered,
    without ANY updates or patches or fixes, because it works right from the
    start. You want to connect to your bank, you use the remote desktop client
    that came with the computer and the bank worries about its mainframe.

    An update is nothing more than a software recall. Imagine if your
    car were recalled once a month, and if you drove it to the shop to be fixed,
    you might not be able to drive it home that night because it wouldn't even
    start. That has to end, and a new browser or a new operating system or just
    one more little update won't do the job. We need a whole new philosophy of
    computing. It will come, because it has to. Otherwise, Internet and maybe
    even computers in general will find themselves on the ash heap of history.

     
    Andrew M. Saucci, Jr., Jan 26, 2010
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.