Esther Schindler writes "It's easy for techies to enumerate the reasons that Internet Explorer 6 should die. Although the percentage of users who use IE6 has dropped to about 12%, many web developers are forced to make sure their websites work with the ancient browser (which presents additional problems, such as keeping their companies from upgrading to newer versions of Windows). But rather than indulge in an emotional rant, in 'Why You Can't Pry IE6 Out Of Their Cold Dead Hands,' I set about to find out why the companies that remain standardized on IE6 haven't upgraded (never mind to what). In short: user and business-owner ignorance and/or disinterest in new technology; being stuck with a critical business app that relies on IE6; finding a budget to update internal IE6 apps that will work the same as they used to; and keeping users away from newer Web 2.0 sites."

Simmeh writes "Microsoft have posted screenshots and details on their upcoming 'web browser choice screen.' Requirements include being in Europe, and having Internet Explorer set as your default browser. It comes with a few surprises, as the software automatically unpins Internet Explorer from your taskbar, and offers 11 alternative browsers."

k33l0r writes "Following Google's announcement ending support for Internet Explorer 6, I find myself wondering whether we (Web developers) really need to continue providing support for IE6 and IE7. Especially when creating Web sites intended for technical audiences, wouldn't it be best to end support for obsoleted browsers? Would this not provide additional incentives to upgrade? Recently I and my colleagues had to decide whether it was worth our time to try to support anything before IE8, and in the end we decided to redirect any IE6/7 user-agent to a separate page explaining that the site is not accessible with IE 6 or 7. This was easy once we saw from our analytics that fewer than 5% of visitors to the site were using IE at all. Have you had to make a choice like this? If so, what was your decision and what was the reasoning behind it?"

snydeq writes "Microsoft warned that a flaw in IE gives attackers access to files stored on a PC under certain conditions. 'Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,' Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, according to the company."

An anonymous reader points out that the latest Net Applications numbers show that MSIE 8 has become the world's most-used browser, taking over from IE6, which has been hit by the decline in the use of Windows XP. PCMag.com emphasizes another angle on the numbers, which is that Chrome is the fastest-growing browser. Firefox's market share has stalled just below 25%. Chrome is now in third place, ahead of Safari. The Guardian's article reminds: "There's no guarantee that NetApps' numbers are accurate, and they are very unlikely to be correct to two decimal places. However, they do appear to be a good indicator of market trends."

aliebrah writes "Lord Avebury tabled a parliamentary question in the UK regarding the security of Internet Explorer and whether the UK government would reconsider its use. He got an answer from the UK Home Office that's unlikely to please most Slashdot readers. The UK government contends that 'there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.'"

itwbennett writes "Google announced Friday that it will be phasing out support for Internet Explorer 6, more than two weeks after the attacks on Google's servers that targeted a vulnerability in IE6. In a blog post, Rajen Sheth, Google Apps senior product manager, said that support for IE6 in Google Docs and Google Sites will end March 1. At that point, IE6 users who try to access Docs or Sites may find that 'key functionality' won't work properly. Sheth suggested that customers upgrade their browsers to pretty much anything else."

CWmike writes "Google has announced that it added several new security features to Chrome 4, including two security measures first popularized (some later shot down as having 'zero impact') by rival Microsoft's IE8 last year. The newest 'stable' build of Chrome includes five security additions that target Web developers who want to build more secure sites, said Adam Barth, a software engineer on the Chrome team. The two aped from IE include 'X-Frame-Options'" a security feature that helps sites defend against 'clickjacking' attacks, and cross-site scripting protection.'"In Google Chrome 4, we've added an experimental feature to help mitigate one form of XSS [cross-site scripting], reflective XSS,' Barth said. 'The XSS filter checks whether a script that's about to run on a Web page is also present in the request that fetched that Web page. If the script is present in the request, that's a strong indication that the Web server might have been tricked into reflecting the script.'"

krebsonsecurity writes "The Web browser wars often focus on which browser is more secure, but the dirty secret is that insecure plugins are a serious threat to all browsers, from the perspectives of both stability and security. Krebsonsecurity.com features an informative look at the administration page for a popular browser exploit kit called Eleonora, which suggests that plugins like Adobe Reader and Java are leading to successful compromises for users surfing not just with Internet Explorer, but also with Google Chrome, Firefox, Safari, and Opera."

itwbennett writes "The first widespread attack to leverage the Internet Explorer flaw that Microsoft patched in an emergency update Thursday morning has surfaced. By midday Thursday Symantec had spotted hundreds of Web sites that hosted the attack code. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec. Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a US-based, free e-mail service that Symantec declined to name." Relatedly, reader N!NJA was among several to point out that Microsoft has apparently been aware of this flaw since September.

An anonymous reader writes "As expected, Microsoft has issued an out-of-band security patch to address a remote code execution hole in Internet Explorer that was used in the recent Chinese attacks disclosed by Google. Ars Technica has all the download links you need."

CWmike writes "Microsoft will release its emergency patch for Internet Explorer on Thursday, the company said, as it also admitted that attacks can be hidden inside rigged Office documents. 'We are planning to release the update as close to 10:00 a.m. PST as possible,' said Jerry Bryant, a program manager with the IE group. Microsoft has updated the security advisory it originally published last week when it acknowledged a zero-day IE vulnerability had been used by hackers to break into the corporate networks of Google and other major Western companies. Google has alleged that the attacks were launched by Chinese attackers. Subsequently, security experts have offered evidence that links the attacks to China."

Grotendo writes "Microsoft plans to release an emergency patch for Internet Explorer very soon to counter targeted attacks and the publication of exploit code for a 'browse and you're owned' vulnerability in its flagship Web browser. The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows. This could happen as early as this weekend." Microsoft has downplayed the seriousness of the IE zero-day, and insisted that it affects only IE6 even as security researchers close in on exploits for IE7 and IE8. Microsoft has had no comment about the firestorm that Google unleashed by directly accusing the Chinese of cyber espionage. ShadowServer has up a sobering post on the massive extent of the problem of "groups that can be referred to as the Advanced Persistent Threat."

Barence writes "Microsoft has issued a statement urging people to upgrade their browser to IE8, after the zero-day exploit that was used to attack companies such as Google went public. According to Microsoft's security advisory: 'the vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.' But, although IE6 has been the source of the attacks until now, Microsoft's advisory admits that both IE7 and IE8 are vulnerable to the same flaw, even on Windows 7."

An anonymous reader writes "After McAfee's disclosure of an IE 0-day vulnerability this week that had been used in Operation Aurora, the hack and stealing of data from Google, Adobe and about 3 dozen other major companies, the German government has advised the public to switch to alternative browsers (untranslated statement). Given that the exploit has now been made public and the patch from Microsoft is still nowhere to be seen, how long will it be before other governments follow suit?"

itwbennett writes "The IE attack code used in last month's attack on Google and 33 other companies was submitted for analysis Thursday on the Wepawet malware analysis Web site. One day after being made publicly available, it had been included in at least one hacking tool and could be seen in online attacks, according to Dave Marcus, director of security research and communications at McAfee. Marcus noted that the attack is very reliable on IE 6 running on Windows XP, and could possibly be modified to work on newer versions of IE."

bheer writes "A zero-day attack on IE was used to carry out the cyber attack on Google and others that's been getting so much ink recently, reports The Register, quoting McAfee's CTO. While the web (and security) community has pointed out the problems with IE's many security flaws (and its sluggish update cycle) in the past, IE shows no sign of vanishing from the corporate landscape."

gQuigs notes a graph up at StatCounter Global Statistics, which shows that in the last few days Firefox 3.5 became the most used browser version worldwide, edging ahead of IE7. IE8 is rising fast (along with Windows 7), but over the last few months the slope of Firefox's worldwide curve has been steeper. (In the US, IE8 has always been ahead of Firefox 3.5; in Europe Firefox has led since late summer.) The submitter suggests using the time when Firefox rules the roost, globally speaking, to put the final nail in the coffin of IE6, which still has a 14% global share (5%-7% in the US and EU; China and Korea are holding up IE6's numbers).

CWmike writes "After an 11-month legal face-off, Microsoft and European antitrust officials signed off yesterday on the ballot screen concept that will give Windows users a chance to download rivals' browsers. But now that the battle's over and the ink has dried, it's time to look closely. Some FAQ examples: What's Microsoft promised? How will it work? How many browsers will be on the ballot? Who decides which browsers? Who will see it?"

After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.