“You wouldn’t drink 9 year old milk, so why use a 9-year-old browser” asks Microsoft.

“When Internet Explorer 6 was launched in 2001, it offered cutting–edge security – for the time. Since then, the Internet has evolved and the security features of Internet Explorer 6 have become outdated. With the latest state–of–the–art security features, Internet Explorer 8 is designed to cope with today’s modern cyber crime” says Microsoft’s introduction.

The campaign is aimed at existing IE6 users, which still make up 17.58% of the web browsers world-wide according to Market Share by Net Applications.

Microsoft Australia’s campaign can be seen here, along with some very interesting fraud facts.

Internet Explorer 8 is safe this time, while the vulnerability could allow for remote code execution when a user visits a website with the malicious inserted in it. Full details on the issue can be seen in Microsoft Security Advisory (981374).

The update is included with Security Bulletin MS10-018 and the flaw is rated as critical, and was originally expected during the 13th April update cycle.

“The Internet Explorer team accelerated testing of this update due to the growing attacks against the publicly disclosed vulnerability” wrote Microsoft Security Response Center Group Manager Jerry Bryant.

The update is available from Microsoft Update, or will be pushed out to Windows users who have automatic updates turned on.

Internet Explorer 6 users are currently presented with a nice message urging them to upgrade to a newer browser.

“On March 13, we are dropping support for your browser. You’ll still be able to watch videos after this date, but new features may not work properly” reads the message.

This gives users two weeks notice, though it may be of little use to many IE6 users, who are stuck using the browser on corporate networks.

More Google services are dropping support for IE6 later this year, but no firm dates have yet been given.

“We plan to stop supporting older browsers for the rest of the Google Apps suite, including Gmail, later in 2010,” said a Google spokesman.

The move seems a little risky, with Internet Explorer 6 still holding 20% of the browser market according to statistics from Market Share by Net Applications.

Microsoft has also weighted in on the debate. “We support this recommendation to move off Internet Explorer 6,” said Microsoft spokesman Brandon LeBlanc.

Full repercussions of this decision will not be known until later in this year when Google offically drops IE6 support. It is hoped that this move could help speed up the rate in which corporations are moving to newer versions of Windows and Internet Explorer.

A cut-off date for Internet Explorer 6 is still not known.

A new security advisory was posted by Microsoft last Wednesday, notifying users of a potential flaw in Internet Explorer which could allow third-parties access to data.

“Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location” said the advisory from Microsoft.

At this stage, there are no reported attacks using this vulnerability, but it is bound to be only a matter of time.

A patch is expected in a few days, on Tuesday 9th February 2010.

“This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights” said a note from Microsoft.

The update includes fixes for IE5.01, IE6, IE7, and IE8 on platforms from Windows 2000 to the newely released Windows 7.

The updated is rated critical and will be pushed out to all users who have Windows Update turned on. Alternatively, system administrators can find out more information plus download links in the Security Bulletin MS10-002.

Microsoft has hit back at claims, noting that the attacks could be avoided if the security zone settings were set to high.

“Using Internet Explorer in ‘secure mode’, as well as turning off Active Scripting, makes attacks more difficult but can not fully prevent them,” BSI said in a further statement.

Microsoft has acknowledged the vulnerability, which is present in all versions of Internet Explorer, including IE8 on Windows 7.

Microsoft is expected to release a patch in the coming weeks.

“Google Chrome Frame is an early-stage open source plug-in that seamlessly brings Google Chrome’s open web technologies and speedy JavaScript engine” and currently works in Internet Explorer 6, 7, and 8.

This plug-in would allow organisations to keep Internet Explorer 6, but still allow users to see pages that use HTML5 and advanced CSS features.

More information can be found on the Google Chrome Frame website.

“The choice to upgrade software on a PC belongs to the person responsible for the PC” said Microsoft’s Internet Explorer boss Dean Hachamovitch.

“We’ll continue to strongly encourage Windows users to upgrade to the latest IE. We will also continue to respect their choice, because their browser is their choice. Dropping support for IE6 is not an option because we committed to supporting the IE included with Windows for the lifespan of the product. We keep our commitments.”

Hachamovitch’s comments come after Digg’s proposal to remove support for IE6, and a new ‘IE6 No More‘ campaign.

Hachamovitch also points out that the large majority of IE6 users don’t have the ability to upgrade, but are rather bound by the software their organisations allow them to use.

It appears IE6 is still here to stay – for now.

The zero day exploit affects Internet Explorer 6 and 7 users when they visit an infected web site if they are using either Windows XP or Windows 2003.

Windows Vista, Windows 7 and Internet Explorer 8 users are safe for now. No patch is currently available but Microsoft has posted a workaround for the exploit.

A patch is in the works, but no details on when it will be released have been announced.

Links:

• Enable workaround
• Disable workaround