Jump to content

I don't use Internet Explorer, do I still need to update it


galahs

Recommended Posts

I know that using Internet Explorer 6 on the internet is not a smart thing to do. But what I want to know is, if I exclusively use up-to-date versions of Firefox, Chrome or Opera.... should I still update Internet Explorer 6 to the latest version?

If I set all its security settings to HIGH and then never touch it again, am I safe from web attacks?

Link to comment
Share on other sites


If I'm not mistaken, parts of Windows Explorer in Windows XP are dependent on IE, so if you don't patch it, you're pretty much leaving your computer vulnerable to some kind of attack/infection.

More loosely switching your PC on and connecting it to anything exposes you to attack/infection.

IF the vulnerability(ies) affect exactly that area (of interdependence between OS and IE), which is NOT as yet clear, it may happen.

But if we follow the official MS reply (at least the ones for the recent German government warning) all is needed is to set to HIGH the security level for browsing.

And I haven't seen anywhere - and definitely not "certified" - that IE8 is invulnerable (or even safer than an updated 5.x or 6.x).

Not to say that the MS guys are right ;) (it would be the first time I would affirm this :ph34r:) but maybe there is a bit of hype on this thingy right now.

jaclaz

Link to comment
Share on other sites

IE7/8 are more secure. IE8 used DEP by default and IE7/8 were coded following the SDL guidelines and uses the new secure VC++ functions, which replaces the old insecure C functions ( http://msdn.microsoft.com/de-de/library/wd...ts(VS.80).aspx).

Ie6 is one of the worst coded and insecure software ever. UPDATE AS FAST AS POSSIBLE!

Link to comment
Share on other sites

I guess it all depends on how one reads data. ;)

http://secunia.com/advisories/product/21625/

Unpatched 50% of vulnerabilities (IE8)

doesn't sound that much "safer" than:

http://secunia.com/advisories/product/11/

Unpatched 17% of vulnerabilities (IE6)

Of course "only" 4 vulnerabilities unpatched are much less than 24.

But it all depends which actual vulnerabilities are left unpatched, and the actual probability they can be triggered by NOT using the app.

What about 5.0?

http://secunia.com/advisories/product/9/

It is unlikely that given it's current usage it is targeted anymore:

http://marketshare.hitslink.com/browser-ma...re.aspx?qprid=2

:hello:

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Well, to be fair, if we're going to point out 50% of the flaws, let's show what they are:

  • Secunia Advisory 38209, extremely critical, reported 1/15/2010 (3 days ago). Use after free error on a malicious page, would allow execution of code at user privilege level. Somewhat mitigated with Protected Mode/UAC on Vista and Win7, as a low integrity process would only have access to low integrity file and registry locations, which is basically nowhere except the user's temp directory - anything else would trigger a UAC prompt. Affects 6, 7, and 8
  • Secunia Advisory 37362, not critical, reported 11/25/2009. This requires a PDF file and printer, and the vulnerability exists in the first 63 bytes of the PDF file sent to the printer, which is more a vulnerability of the PDF document containing the data than an IE issue - hence "not critical". Affects 6, 7, and 8
  • Secunia Advisory 36334, not critical, reported 8/19/2009. Requires IE6 or 7 to be truly spoofed, as IE8 highlights the domain portion of the URL to show the spoofed address. Also requires that you trust the site in question (trusted sites or local intranet zone), and wouldn't happen in the internet zone where most pages would display (hence "not critical"). Affects 6, 7, and 8.
  • Secunia Advisory 24314, less critical, reported 5/12/2009 for IE8. Requires that an iFrame be hosted as a UTF-7 document in a parent UTF-8 charset page, and that the page be malicious in nature (can execute arbitrary HTML and jscript/vbscript in a user's session). Due to the increased security in IE7 and IE8 on Vista and Win7, this vulnerability only affects XP systems (where there is no integrity level separation of processes). Affects 7 and 8 on XP only.

Also, if you look closely at the rest of the vulnerabilities affecting even IE6 or IE7, you'll find they're mostly social engineering exploits. Given that IE isn't just a browser, it's also an application platform, I'm not sure Microsoft could do much more to fix these sorts of things without removing the "application platform" functionality of the browser, and given that it's one of the main selling points for businesses I highly doubt that'll happen until most of the web moves to web-based apps (entirely) and server-side functionality with no client plugins required.

Link to comment
Share on other sites

Unless he uses an app that ingests the affected areas, no, probably not. However, if you've still got the app installed, there's no reason NOT to update it to the latest cumulative update either, given that there could be any number of unknown vulnerabilities with any product on the system, so if you're going to have it installed (and with IE, until Win7 you have no real choice), you probably should update it regularly. Given that the shell itself uses IE components in day-to-day usage, not updating it seems unsafe to me.

Link to comment
Share on other sites

there's no reason NOT to update it to the latest cumulative update either
I am not so sure.

1) It's a matter of trust. With technical products like programming languages I would trust Microsoft, but with products which could be useful for intelligence gathering I am not so sure whether I would not be just updating an older backdoor with a newer backdoor.

2) My internet browsing is nearly exclusively with Opera and Firefox under Win98, with IE 6.0.2600 installed, but never updated. I access the internet completely unprotected under Win98, only using occasional on-demand scans, mainly of new downloads. My computer hasn't had an infection for years. The existence of a rarely-used IE 6, with no updates, on my Win98 system hasn't led to an infection. Maybe a rarely-used IE6 without updates won't lead to an infection on a WinXP system either.

On my WinXP SP2 system I have not updated IE6. jaclaz's evaluation might also apply to me, if I am lucky:

if galahs doesn't use IE for browsing it is unlikely that any of the unpatched vulnerabilities (no matter which IE versions) will affect him.
I worry mainly about the netbook of the youngest member in the family, who is using IE6 under WinXP. The netbook was completely locked up twice in the past 6 weeks, lot's of trojans, and the netbook is part of the Win98/WinXP home network ...
maybe there is a bit of hype on this thingy right now.
I agree, it's getting politicized, France has joined Germany http://www.msfn.org/board/german-governmen...pid-904054.html Edited by Multibooter
Link to comment
Share on other sites

My computer hasn't had an infection for years.
I worry mainly about the netbook of the youngest member in the family, who is using IE6 under WinXP. The netbook was completely locked up twice in the past 6 weeks, lot's of trojans, and the netbook is part of the Win98/WinXP home network ...

Which means that the "risk" is more in the places you go than on any local exploitable vulnerability.

But if you go to "some place" with another browser, you need to have it triggering the NOT used IE 5, 6, 7 or 8, in order for the vulnerability to be exploited, everything is possible, but it is not likely, as I see it.

Personally, I like playing safe and have connected to the Internet 2K boxes with IE removed alltogether, but you know I am a dinosaur.... ;)

jaclaz

Link to comment
Share on other sites

Personally, I like playing safe and have connected to the Internet 2K boxes with IE removed altogether
I have found IE to be necessary:

1 ) for accessing websites which don't work properly with Firefox or Opera (mainly websites involving monetary transactions).

I hope owners of these websites will eventually be subjected to big $$$ negligence/consumer protection litigation because they let consumers access their sites only with a browser which has been warned against by German and French government authorities. I would consider a commercial service offered from an IE-only website to be an "unsafe product".

2) some websites don't print out properly with Opera or Firefox, only with IE. IE is good at making hard copy printouts of web pages

3) occasionally for creating a good .mht file of a web page, in case Opera created an incorrect .mht file which didn't look like the original page

Edited by Multibooter
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...