UK government refuses to upgrade from defunct IE6

While cultural secretary Ed Vaizey is keen to chuck dosh at redundant technology such as DAB, backed by those with a clear vested interest, the UK’s bureacracy-ridden government is refusing to spend the time to upgrade to the now-defunct Internet Exploder 6 as it is too expensive.

In its response to the 6,000 strong petition suggesting that the UK leads the pack and upgrades ahead of the final deadline, as most creative and software agencies are being forced into making IE6 websites, it says that “the government takes internet security very seriously.”

“This has been reflected in recent changes to the Information Security and Assurance team and the Office of Cyber Security within the Cabinet Office which are in the process of merging together to lead a joined-up approach to information assurance and cyber security strategy and policy.”

The government in its response says that there is “no evidence” that upgrading away from the “latest fully patched versions of Internet Explorer to other browsers will make users more secure.” But Internet Explorer 6 is now defunct and not receiving dedicated support from Microsoft.

In fact, Microsoft is desperate to get users away from Internet Explorer 6. 
Redmond’s chief security officer Stuart Strathdee has said that IE6 has a lifecycle and it is well beyond its best before date.

“For us security and privacy are closely related. We’re really pleading with people to upgrade,” he told the Sydney Morning Herald.

The government’s stubbornness on what should be a simple and cost effective upgrade to keep public agencies and, in turn, the records and data of all of the UK as secure as possible is basically like opening the floodgates. It’s offering up its intranet.

Long term, the security concerns of exclusively working in IE6 and leaving itself open to attack will cost more money than it saves.

And with cyber security not high on the government budgetary agenda, you’d think it would be time for officials to pull their fingers out. 

Graham Cluley, of security outfit Sophos, talked to TechEye. He told us:

“Too expensive”, huh?  You have to wonder how they’re going to use that as an excuse when security is compromised by using such an old browser.

“IE 6 was first launched in 2001, and you have to question the wisdom of sticking with IE 6 when Microsoft itself has urged users to upgrade to a more secure version.

“Of course, upgrading and switching browser isn’t something that a government department can do overnight – the IT teams responsible for network management will need to ensure that the PCs can properly handle the new version, and that existing web applications work properly.

“But doing nothing is not acceptable from the point of view of security, and sends the wrong message to consumers and businesses across the country.  IE 6 simply isn’t safe, and should be ditched as soon as possible.”

You can see Graham’s full take on it from his bog, here.

Dave Marcus, Director at McAfee Labs, told TechEye: “Companies and governments need to learn from the Aurora attack that used IE6 to compromise Google, Adobe and others. They need to use up-to-date software that is properly maintained and employ best practices in configuration management to ensure patches are deployed promptly. They need to use properly configured security software and hardware.”