The UK government announced that it will stick with using Internet Explorer 6 on its networks for now. It doesn't see any security benefit in upgrading to a more modern browser and plans to repel any attacks with firewalls and anti-malware solutions.
Following the Aurora attacks against Google and 33 other large companies earlier this year, which exploited a vulnerability in Internet Explorer 6, the German and French governments began recommending the replacement of the 12-year-old browser with more modern alternatives. Many security professionals and Web developers argued that this should have happened much earlier as the result of common sense and not some highly publicized security breach.
However, even after the incident, the UK government remained impassive to the use of IE6 on its networks and by the general public. As a result, some concerned citizens launched a petition asking for a similar response.
“IE6 has some security flaws that leave users vulnerable. These two governments have let their populations know that an upgrade will keep them safer online. We should follow them. When the UK government does this, most of Europe will follow. That will create some pressure on the US to do so too,” the petition signed by 6,223 people said..
In a recently issued response representatives of Her Majesty's Government (HMG) state that “There is no evidence that upgrading away from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.” This statement is a bit ambiguous, because it's not clear if it refers to IE6 or not. If it doesn't, it's irrelevant to the petition, and if it does, then it's false.
Just as a quick example, this week at the Black Hat security conference in Las Vegas, a security researcher demonstrated an attack which abuses IE6 and IE7's AutoComplete feature to mine sensitive data from computers. The bug is trivial to exploit and the attack vector and method have been known since at least 2008. Yet, there is no patch.
Other arguments for sticking with IE6 are apparently related to the time and costs required by a mass upgrade. “It is therefore more cost effective in many cases to continue to use IE6 and rely on other measures, such as firewalls and malware scanning software, to further protect public sector internet users,” the British government says.
However, security breaches can prove equally as costly and can have much more serious consequences. Last year when the Conficker worm infected the Manchester City Council computer network, it disrupted the institution's normal activity and caused loses of over $2.4 million.
Conficker also demonstrated that government firewall and anti-malware implementations are not that reliable. In addition to the Manchester City Council, the worm managed to infect the computer networks of the Greater Manchester Police, the UK Parliament and even the Royal Navy. And those were only the incidents that we reported.