Internet Explorer 6

From Wikipedia, the free encyclopedia

Internet Explorer 6

Internet Explorer 6 SP2 in Windows XP SP2
Developed by Microsoft
Initial release August 27, 2001
Latest release 6.0 SV1 ('6 SP2')[1] / August 6, 2004
OS latest release:
XP SP2, WS03 SP2
up to SP1:
NT 4.0, 98,Me,2000, XP
Development status Supported
Superseded by 7.0
License MS-EULA
Website Internet Explorer 6 home page

Microsoft Internet Explorer 6 (commonly abbreviated to IE6), is a graphical web browser developed by Microsoft and included as part of the Microsoft Windows XP and Windows Server 2003 lines of operating systems. It was the most widely used web browser during its tenure (surpassing Internet Explorer 5.x), attaining a peak of about 95% usage share during 2002 and 2003 when it began steadily declining until 2007 when it rapidly lost market share to Windows Internet Explorer 7.

Microsoft Internet Explorer 6.0 was released on August 27, 2001, shortly after Windows XP was finished. This version included DHTML enhancements, content restricted inline frames, and partial support of CSS level 1, DOM level 1 and SMIL 2.0.[2] The MSXML engine was also updated to version 3.0. Other new features included a new version of the Internet Explorer Administration Kit (IEAK), Media bar, Windows Messenger integration, fault collection, automatic image resizing, P3P, and a new look-and-feel that was in line with the "Luna" visual style of Windows XP, when used in Windows XP. In 2002, the Gopher protocol was disabled and support for it was dropped in Internet Explorer 7.[3]

In a May 7, 2003 Microsoft online chat, Brian Countryman, Internet Explorer Program Manager, declared that on Microsoft Windows, Internet Explorer would cease to be distributed separately from the operating system (IE 6 would be the last standalone version);[4] it would, however, be continued as a part of the evolution of the operating system, with updates coming only bundled in operating system upgrades. Thus, Internet Explorer and Windows itself would be kept more in sync. However, after one release in this fashion (6.0 Service Pack 2 in August 2004), Microsoft changed its plan and released Internet Explorer 7 for Windows XP SP2 and Windows Server 2003 SP1 in late 2006.

IE6 remained more popular than its successor in business use for more than a year after IE7 came out. [5] A DailyTech article noted, "A Survey found 55.2% of companies still use IE 6 as of December 2007", while "IE 7 only has a 23.4 percent adoption rate". [6]

Contents

[edit] Overview & Security Issues

A screenshot of a malicious website attempting to install spyware via an ActiveX Control in IE6
A screenshot of a malicious website attempting to install spyware via an ActiveX Control in IE6

As of May 28, 2006, Secunia reports 104 vulnerabilities in Internet Explorer, 18 of which are unpatched, some of which are rated moderately critical in severity[7]. In contrast, Mozilla Firefox, the main competitor to Internet Explorer, is reported to have only 34 security vulnerabilities, of which 3 remain unpatched and rated less critical[8]. Opera, another competitor to Internet Explorer, has 15 vulnerabilities and none of them remain unpatched[9].

Although security patches continue to be released for a range of platforms, most recent feature additions and security improvements were released for Windows XP only.

As of June 23, 2006, security advisory site Secunia counted 20 unpatched security flaws for Internet Explorer 6, many more and older than for any other browser, even in each individual criticality-level, although some of these flaws only affect Internet Explorer when running on certain versions of Windows or when running in conjunction with certain other applications.[10]

On June 23, 2004, an attacker using compromised Internet Information Services 5.0 Web servers on major corporate sites used two previously undiscovered security holes in Internet Explorer to insert spam-sending software on an unknown number of end-user computers.[11] This malware became known as Download.ject and it caused users to infect their computers with a back door and key logger merely by viewing a web page. Infected sites included several financial sites.

Probably the biggest generic security failing of Internet Explorer (and other web browers too) is the fact that it runs with the same level of access as the logged in user, rather than adopting the principle of least user access. Consequently any malware executing in the Internet Explorer process via a security vulnerability (e.g. Download.ject in the example above) has the same level of access as the user, something that has particular relevance when that user is an Administrator. Tools such as DropMyRights are able to address this issue by restricting the security token of the Internet Explorer process to that of a limited user. However this added level of security is not installed or available by default, nor does it offer a simple way to elevate privileges ad-hoc when required (for example to access Microsoft Update)

Art Manion, a representative of the United States Computer Emergency Readiness Team (US-CERT) noted in a vulnerability report that the design of Internet Explorer 6 Service Pack 1 made it difficult to secure. He stated that:

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, local file system (Local Machine Zone) trust, the Dynamic HTML (DHTML) document object model (in particular, proprietary DHTML features), the HTML Help system, MIME type determination, the graphical user interface (GUI), and ActiveX. … IE is integrated into Windows to such an extent that vulnerabilities in IE frequently provide an attacker significant access to the operating system.[12]

Manion later clarified that most of these concerns were addressed in 2004 with the release of Windows XP Service Pack 2, and other browsers have now begun to suffer the same vulnerabilities he identified in the above CERT report.[13]

Many security analysts attribute Internet Explorer's frequency of exploitation in part to its ubiquity, since its market dominance makes it the most obvious target. However, some critics argue that this is not the full story; the Apache HTTP Server, for example, had a much larger market share than Microsoft IIS, yet Apache has traditionally had fewer (and generally less serious) security vulnerabilities than IIS.[14] In an October 2002 interview, Microsoft's Craig Mundie admitted that Microsoft's products were "less secure than they could have been" because it was "designing with features in mind rather than security."[15] IIS 6 has changed this, however; Secunia has only two vulnerabilities listed for the first three years since its release,[16] compared with 15 for Apache 2.0 in the same time period.[17]

As a result of its many problems, some security experts, including Bruce Schneier, recommend that users stop using Internet Explorer for normal browsing, and switch to a different browser instead.[18] Several notable technology columnists have suggested the same, including the Wall Street Journal's Walt Mossberg,[19] and eWeek's Steven Vaughan-Nichols.[20] On July 6, 2004, US-CERT released an exploit report in which the last of seven workarounds was to use a different browser, especially when visiting untrusted sites.[21]

[edit] Patches Criticism

A common criticism of Internet Explorer is of the speed at which fixes are released after discovery of the security problems, and in some circumstances, the problems not always being completely fixed. For example, after Microsoft released patches to close holes in its Windows NT line of operating systems on February 2, 2004, 200 days after their initial report, Marc Maifrett, Chief Hacking Officer of eEye Digital Security, is quoted in a cNet article as saying:

If it really took them that long technically to make (and test) the fix, then they have other problems. That's not a way to run a software company.[22]

The same article quoted @stake's Chris Wysopal, vice president of research and development as saying:

Whatever time frame it takes to fix something, you could always argue that it could have been made somewhat shorter. It is definitely in the multimonth category because of how many versions of the operating system and the big applications that they had to test.

The Register criticized Maifrett for publicizing a security hole leading to the creation of the Code Red worm, arguing that:

had they not made such a grand public fuss over their .ida hole discovery and their SecureIIS product's ability to defeat it, it's a safe bet that Code Red would not have infected thousands of systems. … When we speak in favor of full disclosure, we're talking about something more narrowly targeted than eEye's usual media blitz whenever they discover a hole that their products can fix.[23]

Microsoft attributes the perceived delays to rigorous testing. The testing matrix for Internet Explorer demonstrates the complexity and thoroughness of corporate testing procedures. A posting to the Internet Explorer team blog on August 17, 2004 explained that there are, at minimum, 234 distinct releases of Internet Explorer that Microsoft supports (covering more than two dozen languages, and several different revisions of the operating system and browser level for each language), and that every combination is tested before a patch is released.[24]

In May 2006, PC World rated Internet Explorer 6 the eighth worst tech product of all time. [25]

[edit] Security framework

A screenshot of the non-SP2 Internet Explorer 6.0 interface, with all grey square buttons
A screenshot of the non-SP2 Internet Explorer 6.0 interface, with all grey square buttons


Internet Explorer uses a zone-based security framework, which means that sites are grouped based upon certain conditions. IE allows the restriction of broad areas of functionality, and also allows specific functions to be restricted. The administration of Internet Explorer is accomplished through the Internet Properties control panel. This utility also administers the Internet Explorer framework as it is implemented by other applications.

Patches and updates to the browser are released periodically and made available through Windows Update web site. Microsoft's recent Windows XP Service Pack 2 adds several important security features to Internet Explorer, including a popup blocker and additional security for ActiveX controls. ActiveX support remains in Internet Explorer although access to the "Local Machine Zone" is denied by default since Service Pack 2. However, once an ActiveX control runs and is authorized by the user, it can gain all the privileges of the user, instead of being granted limited privileges as Java or JavaScript do. This was later solved in the Windows Vista version of IE 7, which supported running the browser in a low-permission mode, making malware unable to run unless expressly granted permission by the user.

[edit] Windows adoption capability

Internet Explorer 6.0 supports Windows NT 4.0, Windows 98, Windows 2000, Windows Me, Windows XP and Windows Server 2003 but not Windows 95. The Service Pack 1 update supports all of these versions, but Security Version 1[1] is only available as part Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 (and 2). However, Windows Vista is not supported, and once XP SP2 is upgraded to IE7, uninstalling without a system restore is not supported.

See Removal of Internet Explorer for information relating uninstalling IE.

[edit] Release history

Major version Minor version Release date Significant changes Shipped with
Version 6 6.0 Beta 1 March 2001 More CSS changes and bug fixes to be more W3C-compliant.
6.0 August 27, 2001 Final release. Windows XP
6.0 SP1 September 9, 2002 Vulnerability patch. Last version supported on Windows NT 4.0, 98, 2000 or Me. Windows XP SP1 and Windows Server 2003
6.0 SP2 August 25, 2004 Vulnerability patch. Popup/ActiveX blocker. Add-on manager. Windows XP SP2 and Windows Server 2003 SP1

[edit] Extended

Shdocvw.dll version numbers plus related notes.[26]

  • major version.minor version.build number.sub-build number
  • 6.00.2462.0000 Internet Explorer 6 Public Preview (Beta)
  • 6.00.2479.0006 Internet Explorer 6 Public Preview (Beta) Refresh
  • 6.00.2600.0000 Internet Explorer 6 (Windows XP)
  • 6.00.2800.1106 Internet Explorer 6 Service Pack 1 (Windows XP SP1)
  • 6.00.2900.2180 Internet Explorer 6 for Windows XP SP2
  • 6.00.2900.5512 Internet Explorer 6 for Windows XP SP3
  • 6.00.2800.1278 Internet Explorer 6 Update v.01 Developer Preview (SP1b Beta)
  • 6.00.2800.1314 Internet Explorer 6 Update v.04 Developer Preview (SP1b Beta)
  • 6.00.3663.0000 Internet Explorer 6 for Microsoft Windows Server 2003 RC1
  • 6.00.3718.0000 Internet Explorer 6 for Windows Server 2003 RC2
  • 6.00.3790.0000 Internet Explorer 6 for Windows Server 2003 (released)
  • 6.00.3790.1830 Internet Explorer 6 for Windows Server 2003 SP1 and Windows XP x64
  • 6.00.3790.3959 Internet Explorer 6 for Windows Server 2003 SP2

[edit] References and notes

  1. ^ a b SV1 stands for "Security Version 1", referring to the set of security enhancements made for that release[1]. This version of Internet Explorer is more popularly known as IE6 SP2, given that it is included with Windows XP Service Pack 2, but this can lead to confusion when discussing Windows Server 2003, which includes the same functionality in the SP1 update to that operating system.
  2. ^ SMIL Standards and Microsoft Internet Explorer 6, 7, and 8. Retrieved on 2007-05-27.
  3. ^ Using a web browser to access gopher space. Retrieved on 2007-05-11.
  4. ^ Microsoft to abandon standalone IE, January 23, 2006
  5. ^ http://www.dailytech.com/Firefox+Makes+Big+Gains+In+Business+in+at+IEs+Expense/article11340.htm DailyTech Firefox Makes Big Gains in Business at IEs Expense
  6. ^ http://www.dailytech.com/Firefox+Makes+Big+Gains+In+Business+in+at+IEs+Expense/article11340.htm DailyTech Firefox Makes Big Gains in Business at IEs Expense
  7. ^ Microsoft Internet Explorer 6.x, Secunia
  8. ^ Mozilla Firefox 1.x, Secunia
  9. ^ Opera 8.x, Secunia
  10. ^ Vulnerability Report – Microsoft Internet Explorer 6.x. Secunia. Retrieved on 2006-06-23.
  11. ^ Researchers warn of infectious Web sites (June 25, 2004). Retrieved on 2006-04-07.
  12. ^ Vulnerability Note VU#713878. US-CERT (June 9, 2004). Retrieved on 2006-04-07.
  13. ^ Perspective: A safe browser? No longer in the lexicon. CNet (July 7, 2005). Retrieved on 2006-04-07.
  14. ^ Wheeler, David (November 14, 2005). Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers!.
  15. ^ Thomson, Iain (October 9, 2002). Microsoft outlines security strategy. vnunet.com. Retrieved on 2006-04-07.
  16. ^ Vulnerability Report – Microsoft Internet Information Services (IIS) 6. Secunia. Retrieved on 2006-04-07.
  17. ^ Vulnerability Report – Apache 2.0.x. Secunia. Retrieved on 2006-04-07.
  18. ^ Safe Personal Computing (December 12, 2004). Retrieved on 2006-04-07.
  19. ^ Mossberg, Walt (September 16, 2004). How to Protect Yourself From Vandals, Viruses If You Use Windows. Personal Technology. Wall Street Journal. Retrieved on 2006-04-07.
  20. ^ Vaughan-Nichols, Steven (June 28, 2004). Internet Explorer Is Too Dangerous to Keep Using. Linux & Open Source – Opinions. eWeek. Retrieved on 2006-04-07.
  21. ^ Vulnerability Note VU#713878. US-CERT (June 9, 2004). Retrieved on 2006-04-07.
  22. ^ Lemos, Robert (February 13, 2004). 200 days to fix a broken Windows. cNet. Retrieved on 2006-04-07.
  23. ^ Greene, Thomas (July 20, 2001). Internet survives Code Red. The Register. Retrieved on 2006-04-07.
  24. ^ The Basics of the IE Testing Matrix. Internet Explorer team blog. Microsoft (August 17, 2004). Retrieved on 2006-04-07.
  25. ^ PCWorld (2005-05-26). The 25 Worst Tech Products of All Time. Retrieved on 2006-07-18.
  26. ^ http://support.microsoft.com/kb/q164539/ MS Support doc

[edit] See also

Microsoft Portal

[edit] External links

v  d  e
Internet Explorer
Versions
Version 2 · Version 3 · Version 4 · Version 5 · Version 6 · Version 7 · Version 8
Mobile · for Mac · for UNIX
Overview
Current technologies
and related software
Previous technologies
and related software
Events
Related topics
Languages