Arguably one of the most interesting elements of the cyber-attack that affected Google and more than 30 other companies was the primary attack vector-Internet Explorer 6.
The attack exploited an HTML object memory corruption vulnerability in IE that Microsoft was notified about in September. The exploit used in the attacks only affected IE 6, which nine years after it was first released remains in use by 20 percent of Web surfers, according to statistics from Net Applications for January.
That means many users are not taking advantage of the host of security features Microsoft added to IE 8-or Mozilla, Google and others added to current versions of their browsers, for that matter. While Microsoft is touting the fact that IE 8, the most current version of the browser, leads with a market share of 22.37 percent (25 percent when counting those running it in Compatibility Mode), the Net Applications figures show the combined market share of IE 6 and 7 is greater.
Upgrading to more current versions of the browser would have mitigated the cyber-attack on Google, Forrester Research analyst Chenxi Wang said.
“I think even more than the use of IE 6, [the cyber-attack on Google] highlights Google’s poor desktop management,” she said. “This attack could have been prevented if Google employees all use the latest version of the browser, IE 8, or Firefox, or [Google] Chrome. Or if it’s necessary for testing purposes to use IE 6, the test desktop is well-insulated from the production environment and from access to critical data assets.”
For its part, Google announced last week it would phase out support for IE 6, starting with Google Docs and Google Sites on March 1.Meanwhile, an online petition is circulating that calls for the British government to scrap IE 6-something officials in France and Germany advised their citizenry to do last month before Microsoft issued a patch for the security vulnerability at the center of the Google attack.
“For the browser, Microsoft has consistently recommended that consumers upgrade to the latest version of our browser. … While we recommend Internet Explorer 8 to all customers, we understand we have a number of corporate customers for whom broad deployment of new technologies across their desktops requires more planning,” a Microsoft spokesperson said.
IDC analyst Al Hilwa said Microsoft needs to make the upgrade process easy and transparent, but must also keep an eye toward the older versions.
“What they should also do is keep fixing any security holes in the older releases because no matter how idealistic they are, there are going to be people who are going to run the older stuff,” he said.