Tuesday, August 02, 2011

Internet Explorer users are...

The mark of an idiot (apparently).

... according to Timmy, rather less intelligent than the general population. To put it kindly.

There is one nagging feeling at the back of my mind though. It was revealed just last week that all British government computer systems must work and only work within IE6.

The trouble is that this simply isn't true: the Department of Health urged all NHS organisations to move away from IE6 and Windows XP back in February 2010.
The Department of Health (DoH) has urged all NHS staff still using Internet Explorer 6 (IE6) to upgrade to version 7 of the browser as soon as possible.

Microsoft has since issued an out-of-band security patch for IE6 to address the issue, while the Cabinet Office has issued an advisory to Government departments on update from the browser.

And now, in a four-page bulletin (PDF) issued by the department's informatics directorate, the DoH's staff have been urged to take action to ward off potential “reputational damage”.

Staff are warned that the vulnerability could allow cyber criminals “to download and install further malware/spyware on to the computer, add user accounts to the computer [and] steal sensitive data held locally and centrally”.

The warning continues:
“It is also possible that exploiting this vulnerability could allow for the compromised computer to be used as a ‘staging point’ for further attacks against other computer systems including those outside of the organisation.

“If an organisation has systems compromised via this vulnerability, there may be consequential reputational damage, especially if sensitive data is affected or the compromised system is used to attack other systems.”

Employees and departments have been urged to act quickly, at the very least to apply Microsoft's newly issued patch, but also to look at upgrading the browser itself.
“It is recommended that this update is applied to all affected computers within an organisation. Organisations should ensure that appropriate levels of testing of the update take place prior to mass deployment," the guidance adds.

“It is additionally further recommended that organisations still using Internet Explorer 6 on the affected platforms upgrade to Internet Explorer 7. [It] has been warranted to work correctly with Spine applications such as CSA and provides additional security features over Internet Explorer 6.”

Despite Microsoft's own recommendation that users upgrade to IE8, the NHS instead advises only the step up to IE7—recognition of the reality of just how out of date many public systems are.

Despite this, many NHS systems are still running on Windows XP and IE6—in defiance of the government's guidelines and standard safety procedures. Indeed, Ed Bott at ZDNet opines that...
Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice.

But what the hell—it's only our most sensitive data that they are putting at risk, eh?

However, I suspect that it is not as simple as Timmy makes out: in our company, all of our websites are designed to work in IE6 (or to degrade gracefully) but the administration (back-end) areas do not support IE6—only IE7 and above (and we recommend the use of Chrome Frame for a faster, more beautiful experience (without losing control)).

At least, I sincerely hope that this is the case...


FlipC said...

Except the vulnerability to IE mentioned in the missive also applied to IE7 and IE8 on XP/Vista and 7 (IE6 and IE8) so even had they updated they'd still be affected.

Of course had they been using IE7 they would have had the same patch as everyone else to work with; once it had gone through compliance and quality testing to ensure it didn't break any of the systems they were using.

So do you fancy going through the hodge-podge of various government systems checking that all of them still work with IE7; then do it all again for IE8; then again for IE9? Then again for ever security update?

Pedant time - computer systems must work within the combination of XP and IE6; nothing stopping them from working with others only that they *must* work with XP and IE6.

Likewise the recommendation was to move away from IE6 not "IE6 and Windows XP"

microdave said...

"Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice."

I do my best to keep up to date with patches and the latest browser versions etc. It's a pain at times, and I certainly wouldn't want to be the person responsible for 100's or even 1000's of networked PC's. However when those PC's are being used to store/process MY PERSONAL DATA I bloody well expect them to be as secure as possible.

How many more "leaks" are going to occur before a malpractice suit is brought before the courts??

FlipC said...

Microdave - Just OOC how many of these "leaks" were due to vulnerabilities in the system software allowing hackers in and how many from disgruntled employees and those losing their laptops on the Tube?

Do these computers even have access to the internet or is solely for intranet use?

Old BE said...



Although, surprisingly plausible.

Willy said...

Save some dosh, get Ubuntu.

Kevin Monk said...

Yea... This story was a hoax.

I'm building some web apps for the NHS at the moment and whilst in a client meeting yesterday I spotted a stack of booklets in their reception entitled 'The Internet - A Guide' or something to that effect. Inside was a guide showing users how to search the web using 'Ask Jeeves'.

NHS Fail Wail

I think that we can all agree that the UK's response to coronavirus has been somewhat lacking. In fact, many people asserted that our de...