Out of date (by policy).
I came across an interesting blog article over the weekend, published on the Digg blog. It presents some results from a survey into the browsers used by Digg users, with specific interest in those running IE6. Digg’s angle on this will be all too familiar to web developers - tracking the browsers being used in order to decide which require support. The security angle on legacy applications is slightly different of course - legacy applications can present a security risk for users (even if fully supported, since a more recent version may require no patch to a particular vulnerability).
In Digg’s research, they found that the percentage of their users stuck on IE6 is decreasing, but still significant at 10%. I took a quick look at some recent stats for the Sophos site - IE6 users account for an even more significant percentage (approximately 25% of visits for the last month). To identify why IE6 was being used, the Digg team then questioned these users. This identified that a good proportion of the users opt for a different browser when they have the choice (surfing from home).
Enforcing a specific browser within an organization can make lots of sense (and application control lets you do just that). It can help reduce the attack surface, and simplify the task of patching. But it is an interesting side effect that if the process to advance the enforced browser* to more recent versions is too slow, then the reverse could be true! I have some sympathy with admins - switching an organization to the latest version of any application can be fraught with difficulties (breaking countless other applications). Nonetheless, it is important to periodically review such applications to ensure that security concerns continue to be satisfied.
* or other application for that matter
Posted on July 14th, 2009 by Fraser Howard, SophosLabs UKFiled under: General
Free virus scan - Download the Threat Detection Test
