galahs Posted January 18, 2010 Share Posted January 18, 2010 I know that using Internet Explorer 6 on the internet is not a smart thing to do. But what I want to know is, if I exclusively use up-to-date versions of Firefox, Chrome or Opera.... should I still update Internet Explorer 6 to the latest version?If I set all its security settings to HIGH and then never touch it again, am I safe from web attacks? Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted January 18, 2010 Share Posted January 18, 2010 install IE8 and all updates, whether you use the IE or not. Link to comment Share on other sites More sharing options...
jaclaz Posted January 18, 2010 Share Posted January 18, 2010 install IE8 and all updates, whether you use the IE or not.Isn't it a bit "drastic"? jaclaz Link to comment Share on other sites More sharing options...
gamehead200 Posted January 18, 2010 Share Posted January 18, 2010 If I'm not mistaken, parts of Windows Explorer in Windows XP are dependent on IE, so if you don't patch it, you're pretty much leaving your computer vulnerable to some kind of attack/infection. Link to comment Share on other sites More sharing options...
jaclaz Posted January 18, 2010 Share Posted January 18, 2010 If I'm not mistaken, parts of Windows Explorer in Windows XP are dependent on IE, so if you don't patch it, you're pretty much leaving your computer vulnerable to some kind of attack/infection.More loosely switching your PC on and connecting it to anything exposes you to attack/infection.IF the vulnerability(ies) affect exactly that area (of interdependence between OS and IE), which is NOT as yet clear, it may happen. But if we follow the official MS reply (at least the ones for the recent German government warning) all is needed is to set to HIGH the security level for browsing.And I haven't seen anywhere - and definitely not "certified" - that IE8 is invulnerable (or even safer than an updated 5.x or 6.x).Not to say that the MS guys are right (it would be the first time I would affirm this ) but maybe there is a bit of hype on this thingy right now.jaclaz Link to comment Share on other sites More sharing options...
MagicAndre1981 Posted January 18, 2010 Share Posted January 18, 2010 IE7/8 are more secure. IE8 used DEP by default and IE7/8 were coded following the SDL guidelines and uses the new secure VC++ functions, which replaces the old insecure C functions ( http://msdn.microsoft.com/de-de/library/wd...ts(VS.80).aspx).Ie6 is one of the worst coded and insecure software ever. UPDATE AS FAST AS POSSIBLE! Link to comment Share on other sites More sharing options...
jaclaz Posted January 18, 2010 Share Posted January 18, 2010 (edited) I guess it all depends on how one reads data. http://secunia.com/advisories/product/21625/Unpatched 50% of vulnerabilities (IE8)doesn't sound that much "safer" than:http://secunia.com/advisories/product/11/Unpatched 17% of vulnerabilities (IE6)Of course "only" 4 vulnerabilities unpatched are much less than 24.But it all depends which actual vulnerabilities are left unpatched, and the actual probability they can be triggered by NOT using the app.What about 5.0?http://secunia.com/advisories/product/9/It is unlikely that given it's current usage it is targeted anymore:http://marketshare.hitslink.com/browser-ma...re.aspx?qprid=2 jaclaz Edited January 18, 2010 by jaclaz Link to comment Share on other sites More sharing options...
cluberti Posted January 18, 2010 Share Posted January 18, 2010 Well, to be fair, if we're going to point out 50% of the flaws, let's show what they are: Secunia Advisory 38209, extremely critical, reported 1/15/2010 (3 days ago). Use after free error on a malicious page, would allow execution of code at user privilege level. Somewhat mitigated with Protected Mode/UAC on Vista and Win7, as a low integrity process would only have access to low integrity file and registry locations, which is basically nowhere except the user's temp directory - anything else would trigger a UAC prompt. Affects 6, 7, and 8 Secunia Advisory 37362, not critical, reported 11/25/2009. This requires a PDF file and printer, and the vulnerability exists in the first 63 bytes of the PDF file sent to the printer, which is more a vulnerability of the PDF document containing the data than an IE issue - hence "not critical". Affects 6, 7, and 8 Secunia Advisory 36334, not critical, reported 8/19/2009. Requires IE6 or 7 to be truly spoofed, as IE8 highlights the domain portion of the URL to show the spoofed address. Also requires that you trust the site in question (trusted sites or local intranet zone), and wouldn't happen in the internet zone where most pages would display (hence "not critical"). Affects 6, 7, and 8. Secunia Advisory 24314, less critical, reported 5/12/2009 for IE8. Requires that an iFrame be hosted as a UTF-7 document in a parent UTF-8 charset page, and that the page be malicious in nature (can execute arbitrary HTML and jscript/vbscript in a user's session). Due to the increased security in IE7 and IE8 on Vista and Win7, this vulnerability only affects XP systems (where there is no integrity level separation of processes). Affects 7 and 8 on XP only.Also, if you look closely at the rest of the vulnerabilities affecting even IE6 or IE7, you'll find they're mostly social engineering exploits. Given that IE isn't just a browser, it's also an application platform, I'm not sure Microsoft could do much more to fix these sorts of things without removing the "application platform" functionality of the browser, and given that it's one of the main selling points for businesses I highly doubt that'll happen until most of the web moves to web-based apps (entirely) and server-side functionality with no client plugins required. Link to comment Share on other sites More sharing options...
jaclaz Posted January 18, 2010 Share Posted January 18, 2010 Yep , the point I was trying to make is that if galahs doesn't use IE for browsing it is unlikely that any of the unpatched vulnerabilities (no matter which IE versions) will affect him.jaclaz Link to comment Share on other sites More sharing options...
cluberti Posted January 18, 2010 Share Posted January 18, 2010 Unless he uses an app that ingests the affected areas, no, probably not. However, if you've still got the app installed, there's no reason NOT to update it to the latest cumulative update either, given that there could be any number of unknown vulnerabilities with any product on the system, so if you're going to have it installed (and with IE, until Win7 you have no real choice), you probably should update it regularly. Given that the shell itself uses IE components in day-to-day usage, not updating it seems unsafe to me. Link to comment Share on other sites More sharing options...
galahs Posted January 19, 2010 Author Share Posted January 19, 2010 the main reason i ask is I want to know if I am going to be forced to waste my time constantly updating an internet browser I never use. Link to comment Share on other sites More sharing options...
Multibooter Posted January 19, 2010 Share Posted January 19, 2010 (edited) there's no reason NOT to update it to the latest cumulative update eitherI am not so sure.1) It's a matter of trust. With technical products like programming languages I would trust Microsoft, but with products which could be useful for intelligence gathering I am not so sure whether I would not be just updating an older backdoor with a newer backdoor.2) My internet browsing is nearly exclusively with Opera and Firefox under Win98, with IE 6.0.2600 installed, but never updated. I access the internet completely unprotected under Win98, only using occasional on-demand scans, mainly of new downloads. My computer hasn't had an infection for years. The existence of a rarely-used IE 6, with no updates, on my Win98 system hasn't led to an infection. Maybe a rarely-used IE6 without updates won't lead to an infection on a WinXP system either.On my WinXP SP2 system I have not updated IE6. jaclaz's evaluation might also apply to me, if I am lucky:if galahs doesn't use IE for browsing it is unlikely that any of the unpatched vulnerabilities (no matter which IE versions) will affect him.I worry mainly about the netbook of the youngest member in the family, who is using IE6 under WinXP. The netbook was completely locked up twice in the past 6 weeks, lot's of trojans, and the netbook is part of the Win98/WinXP home network ...maybe there is a bit of hype on this thingy right now.I agree, it's getting politicized, France has joined Germany http://www.msfn.org/board/german-governmen...pid-904054.html Edited January 19, 2010 by Multibooter Link to comment Share on other sites More sharing options...
jaclaz Posted January 19, 2010 Share Posted January 19, 2010 My computer hasn't had an infection for years.I worry mainly about the netbook of the youngest member in the family, who is using IE6 under WinXP. The netbook was completely locked up twice in the past 6 weeks, lot's of trojans, and the netbook is part of the Win98/WinXP home network ...Which means that the "risk" is more in the places you go than on any local exploitable vulnerability.But if you go to "some place" with another browser, you need to have it triggering the NOT used IE 5, 6, 7 or 8, in order for the vulnerability to be exploited, everything is possible, but it is not likely, as I see it.Personally, I like playing safe and have connected to the Internet 2K boxes with IE removed alltogether, but you know I am a dinosaur.... jaclaz Link to comment Share on other sites More sharing options...
Multibooter Posted January 19, 2010 Share Posted January 19, 2010 (edited) Personally, I like playing safe and have connected to the Internet 2K boxes with IE removed altogetherI have found IE to be necessary:1 ) for accessing websites which don't work properly with Firefox or Opera (mainly websites involving monetary transactions). I hope owners of these websites will eventually be subjected to big $$$ negligence/consumer protection litigation because they let consumers access their sites only with a browser which has been warned against by German and French government authorities. I would consider a commercial service offered from an IE-only website to be an "unsafe product".2) some websites don't print out properly with Opera or Firefox, only with IE. IE is good at making hard copy printouts of web pages3) occasionally for creating a good .mht file of a web page, in case Opera created an incorrect .mht file which didn't look like the original page Edited January 20, 2010 by Multibooter Link to comment Share on other sites More sharing options...
galahs Posted January 20, 2010 Author Share Posted January 20, 2010 you would think Microsoft would have learnt and in Windows 7 made Internet Explorer a stand alone application. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now