Posts

Microsoft asks users to abandon IE6, kinda

ie6_smallMuch has been written about the recent hack targeting Google, but somewhat lost in the shuffle is that the attack specifically targets Internet Explorer 6 on Windows 2000 and Windows XP. Based on their analysis of the attack, Microsoft’s Security Research and Defense blog urges users to upgrade to a newer platform or enable DEP (only available on Windows XP Service Pack 2 or later).

In their blog post, Assessing risk of IE 0day vulnerability, Microsoft outlines the potential impact on the main OS and browser combinations.

Windows 2000 Windows XP Windows Vista Windows 7
Internet Explorer 6 Exploitable Exploitable (current exploit effective for code execution) N/A
(Vista ships with IE7)
N/A
(Windows 7 ships with IE 8)
Internet Explorer 7 N/A
(IE 7 will not install on Windows 2000)
Potentially exploitable (current exploit does not currently work due to memory layout differences in IE 7) IE Protected Mode prevents current exploit from working. N/A
(Windows 7 ships with IE 8)
Internet Explorer 8 N/A
(IE 8 will not install on Windows 2000)
DEP enabled by default on XP SP3 prevents exploit from working. IE Protected Mode + DEP enabled by default prevent exploit from working. IE Protected Mode + DEP enabled by default prevent exploit from working.

In spite of this, Microsoft still has no plans to drop support for IE6, leaving it up to the individual to upgrade if they desire. Because of this, there are still many major corporations that have not yet upgraded from this now ancient browser – IE 7 was released over 3 years ago.

Even though this event is likely to not change their behavior, if upgrading the operating system is not an option, they should at least consider deploying Firefox and the awesome extension IE Tab for those times when they just have to use Internet Explorer.

Also – Google doesn’t get a free pass here. How is it that the maker of the most secure browser still has workstations running IE6?

Cellphone Tethering: Is it a big deal?

Is a smartphone really that smart if providers put limits on how its data connection is used? Cellphone tethering, or using your cell phone to access internet services on your computer, is in the news because of recent actions by Apple, Palm, and Google.

Apple is releasing their new OS for their phones, dubbed iPhone 3.0, that includes tethering – unless you live in the US because AT&T tethering support isn’t available yet. Earlier this spring, Google pulled all tethering apps from the Android app store at T-Mobile’s request. Palm has sent a polite cease and desist to the “Pre Dev Wiki” website asking for tethering instructions to be removed because they might upset Sprint, Palm’s exclusive service partner in the US. Given that tethering has been available on phones for several years now, why are cell providers suddenly so concerned? Are they worried that customers would cancel their land based internet connections in favor of cellular based ones? Or that tethering would cut into the USB data card market? Read more