With whole countries now recommending to their citizens that they avoid all Microsoft browser versions, and now this upgrade recommendation straight from the source, is it safe to say that web developers can drop support for IE6 as well?
A lot of big companies still use IE6 and IE7, but I’m wondering if this new stance on old IE versions will finally give web devs a leg to stand on in the “how old of a browser should our new product support” argument.
Some security companies (eg. McAfee) are arguing that the recent security breaches involving Google, Adobe, etc that originated in China are due to a security hole present in all versions of IE and that therefore everyone should stop using IE.
Microsoft have argued that it is only IE6 that has that security hole and so that is the only version to avoid using.
At least it means that Microsoft is now once again advising people to upgrade from IE6. They did try that once before though when they set up their automatic upgrade to automatically upgrade everyone from IE6 to IE7 soon after the IE7 release. That didn’t stop there being lots of complaints because of all the intranet sites that only work on IE6 though.
It could result in more companies limiting IE6 access to their intranet and installing an alternate browser for internet use but it does mean that companies with a Microsoft software only policy would need to rethink that policy in order to resolve this security issue.
The security advisory from Microsoft stated that the vulnerability is in all 3 versions. The advisory acknowledged Google, Adobe and McAfee for providing the details of the vulnerability – this was a joint disclosure published all on the same date.
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.
The reason Microsoft can advise people to upgrade from IE6 even when IE7 and IE8 also have the vulnerability is that newer versions of Internet Explorer and of Windows allow you to do less with a bug like this. Yes you can still abuse the pointer to get code to run, but with DEP and Protected Mode, that code has limited access to the system to do anything malicious. With IE6 on XP, if the user account that ran Internet Explorer is an administrator, the bug is much more serious.
This is very easy to answer, no we can’t drop support for IE6, as long as people still use it, we have to ensure support for those users (against our best wishes). There isn’t enough widespread support for ditching support for the product officially, therefore we have neither the public backing or the development community to back any effort to shed the browser the mortal coil. Only if all the IE6 users dry up OR if the W3C officially backs a deprecation message in which the worlds developers cease support for the IE6 browser would it be deemed a suitable time to simply dump all support for the browser. And neither will happen any time soon, the news is just replicating what we have known for years. I would personally like to see the W3C (along with Microsoft) officially deprecate the user-agent’s support and advise developers to dump primordial browsers (sort of an age cut-off), perhaps then we could have an excuse to en-mass stop it and tell everyone to upgrade.
I agree with Alex. As beautiful as it would be to drop support for IE6, now is not the time. At least not for sites I create for my customers. I would only ever dare dropping IE6 support for my own blog, if I had one.
Even my portfolio has full IE6 support. Why? Because many potential clients visit my site with IE6 and I certainly don’t want to leave them with the impression I can’t make websites, since that is my bread and butter.
That’s not very surprising, most software companies support their product a few versions back, even if they want everyone on the latest and greatest.
And truth be told, I don’t think there’s anyone out in the world that is using and enjoying IE6. Those that are still using it are either stuck on a very old operating system like Windows 2000, or are tied to IE6 by poorly coded webapps for their business or whatever.
For my personal work IE6 is on my “let it go” list (I’ll fix large problems but don’t care much if something is off by a couple of pixels). We still support IE6 at work, but we sell Windows software in an industry that’s resistant to change…not much that can be done about that barring some radical rewrite of our main products.