Car rental firm cruises past IE6 security issues

IE6 is plagued with security flaws, yet upgrading can stymie some applications. Avis is piloting a product it believes resolves IE6 security issues.

Most security pros know it makes sense to keep software up to date and patched, but it’s not always that simple.

Take Internet Explorer, for example. Microsoft’s Web browser has improved immensely over the years, adopting industry standards and providing higher levels of security. The software giant touts its most recent versions, IE8 and IE9 (for Windows 7 users), as the most secure browsers ever, yet IE6 is still used widely around the world.

When Microsoft switched to a more secure platform strategy, applications were orphaned because they could only run on the old, insecure, forgiving platform.

Matt Crowley

Vulnerability management company Qualys reports 30% of the endpoints it scans on a regular basis still run the old, insecure version of the browser. So why would any well-run organisation choose to run IE6, which is known to harbour security flaws, and which will cease to be supported by Microsoft in April 2014?

The main reason, according to Matt Crowley, CTO of the Redmond, Wash.-based software company Browsium, is many corporate applications have been written to work with IE6 and will not migrate easily to newer versions of the browser. He estimates there are between 50 and 100 million PCs still running IE6 worldwide.

“The things that made IE6 proprietary and insecure were the things that allowed people to build really great apps on it,” he explained. “It was a tremendous app platform because it would let you do anything.”

IE6 security issues
However, that also became the cause of the IE6 security issues. “When Microsoft switched to a standards strategy and a more secure platform strategy, those applications were orphaned because they could only run on the old, insecure, forgiving platform,” Crowley said.

This means companies wishing to make the change to Windows 7 are unable to do so without doing major rewrites of their existing application code.

Crowley, who spent several years at Microsoft working on Internet Explorer, says Browsium can provide a solution to the problem. Browsium started shipping its first product, UniBrows, in March this year.

The product works by allowing the IE6 rendering engine to work within a more modern version of Internet Explorer, based on sandboxing technology. Thus, it allows the user to access the old corporate application without any formatting problems or difficulties. More importantly, it prevents the IE6 browser from making any permanent changes to the host system.

“We contain the IE6 sessions. When we spin up the IE6 engine, we let the application think it is running IE6,” Crowley said. “It doesn’t matter if there is a PDF app being loaded in IE that exploits some buffer overrun; it makes no difference. Any changes it tries to make to the system, we scrub them.”

Clive Longbottom, senior analyst with Windsor-based research company Quocirca, said the problem of IE6-based applications is widespread, especially in the public sector. “A lot of code will not be rewritten, and in the current financial climate, the applications will not be replaced either,” he said.

Other than rewriting the applications, Longbottom said, companies have limited options. Code migration tools such as ChangeBase AOK (now owned by Quest Software) and Appsense can help identify problems in IE6-based code, but offer little help in fixing them, he said.

Windows 7 (and Vista before it) allows programs to run in XP-compatibility mode, but this normally requires a larger PC to accommodate the virtual machine, and requires users to make decisions about the browser they use, Longbottom said. “The good thing about the Browsium product is it’s a simple solution, and it’s completely seamless to the user,” he said.

Browsium implementation at Avis
An early UK customer for the UniBrows product is the Avis car rental company. David Beshaw, head of IT operations for Avis in Europe, is using it to cope with a range of corporate applications.

Beshaw said that, while Avis has upgraded many of its 5,000 users to IE7 and then IE8, he found there were certain applications that began behaving oddly. “Our intranet only worked with IE6, and gave us formatting issues with later IE versions, and certain Java-dependant calendar pop-ups didn’t work,” he said.

Rewriting the corporate applications was not an option, because it would be difficult to justify the expense. Beshaw considered moving off Internet Explorer altogether  to Firefox or Chrome, but felt that wouldn’t solve the problems and he would then be unable to take advantage of the regular patches provided by Microsoft.

Then he tried UniBrows. “We decided to do an initial trial and found it worked straight out of the box for about 80% of our applications,” he said. “Some apps have taken a bit of coding on our behalf, and for some tricky applications, we have called in Browsium support to help.”

Another spin-off benefit, he said, is that Browsium allows application developers to test their code on multiple browsers at the same time. It means they can hold a different browser in each tab of their main browser, rather than having to run separate machines for testing.

The main benefit, Beshaw said, is Browsium has allowed the systems development team to get on with their work. Coping with IE6 is left to the infrastructure team, who can apply UniBrows where needed. “It means we can fix any problems on the fly,” he said.

Read more on Application security and coding requirements