Security problems

The aegis advising website Secunia appear an outstanding 24 unpatched vulnerabilities in Internet Explorer 6 as of February 9, 2010. These vulnerabilities, which cover several "moderately critical" ratings, bulk to 17% of the absolute 144 aegis risks listed on the website as of February 11, 2010.12

Although aegis patches abide to be appear for a ambit of platforms, a lot of contempo affection additions and aegis improvements were appear for Windows XP only.

As of June 23, 2006, Secunia counted 20 unpatched aegis flaws for Internet Explorer 6, abounding added and earlier than for any added browser, even in anniversary alone criticality-level, although some of these flaws alone affect Internet Explorer if active on assertive versions of Windows or if active in affiliation with assertive added applications.12

On June 23, 2004, an antagonist acclimated two ahead alien aegis holes in Internet Explorer to admit spam-sending software on an alien amount of end-user computers.13 This malware became accepted as Download.ject and it acquired users to affect their computers with a aback aperture and key logger alone by examination a web page. Infected sites included several banking sites.

Probably the better all-encompassing aegis declining of Internet Explorer (and added web browsers too) is the actuality that it runs with the aforementioned akin of admission as the logged in user, rather than adopting the assumption of atomic user access. Consequently any malware active in the Internet Explorer action via a aegis vulnerability (e.g. Download.ject in the archetype above) has the aforementioned akin of admission as the user, something that has accurate appliance if that user is an Administrator. Tools such as DropMyRights are able to abode this affair by akin the aegis badge of the Internet Explorer action to that of a bound user. However this added akin of aegis is not installed or accessible by default, and does not action a simple way to drag privileges ad-hoc if appropriate (for archetype to admission Microsoft Update).

Art Manion, a adumbrative of the United States Computer Emergency Readiness Team (US-CERT) acclaimed in a vulnerability address that the architecture of Internet Explorer 6 Service Pack 1 fabricated it difficult to secure. He declared that:

There are a amount of cogent vulnerabilities in technologies apropos to the IE domain/zone aegis model, bounded book arrangement (Local Machine Zone) trust, the Dynamic HTML (DHTML) certificate article archetypal (in particular, proprietary DHTML features), the HTML Help system, MIME blazon determination, the graphical user interface (GUI), and ActiveX. … IE is chip into Windows to such an admeasurement that vulnerabilities in IE frequently accommodate an antagonist cogent admission to the operating system.14

Manion after antiseptic that a lot of of these apropos were addressed in 2004 with the absolution of Windows XP Service Pack 2, and added browsers accept now amorphous to ache the aforementioned vulnerabilities he articular in the aloft CERT report.15

Many aegis analystswho? aspect Internet Explorer's abundance of corruption in allotment to its ubiquity, back its bazaar ascendancy makes it the a lot of accessible target. However, some criticswho? altercate that this is not the abounding story, acquainted that Apache HTTP Server, for example, had a abundant beyond bazaar allotment than Microsoft IIS, yet Apache had commonly had beneath (and about beneath serious) aegis vulnerabilities than IIS, at the time.16

As a aftereffect of its abounding problems, some aegis experts, including Bruce Schneier, acclaim that users stop application Internet Explorer for accustomed browsing, and about-face to a altered browser instead.17 Several notable technology columnists accept appropriate the same, including The Wall Street Journal's Walt Mossberg,18 and eWeek's Steven Vaughan-Nichols.19 On July 6, 2004, US-CERT appear an accomplishment address in which the endure of seven workarounds was to use a altered browser, abnormally if visiting untrusted sites.20