How Microsoft could overcome the IE6 dilemma

I recently had a catch-up with Stuart Strathdee, Chief Security Advisor for Microsoft Australia, who is out and about throwing his weight into Microsoft’s message encouraging users and businesses to ditch IE6 as soon as possible.

Personal computers running IE6 still make up a significant share of online systems, which is quite a scary prospect given that its ability to handle security modern security threats is negligible.  Engaging with customers is going to be an ongoing challenge for Microsoft - it can be extremely difficult to persuade users to make any sort of change to their systems if there’s no obvious reason to do so.  Unfortunately most home users wouldn’t know if their machines were compromised or not, so as long as malware can sit quietly without causing obvious problems like crashes or popups, infections can go for a long time without detection or resolution.

Continued business use of IE6 is a different matter.  While businesses in general are quite keen to mitigate security threats whenever possible, there is still a section of enterprise customers who consider themselves tied to IE6 because of line of business application dependencies, particularly in the areas of in-house development and CRM.  For these customers, the cost of upgrading to support the latest browsers is disincentive enough for them to prefer to simply mitigate any browser-based or OS-based security threats as they arise.  It’s one of those awkward situations where the interests of the vendor and the customer are at odds.  But there might be a workaround.

In the run-up to releasing Windows 7, Microsoft announced some products designed mitigate customer compability concerns – Windows XP Mode and Microsoft Enterprise Desktop Virtualization (MED-V).  XP Mode and the latest version of Virtual PC which supports application streaming has had good take-up in the marketplace, but they are not enterprise applications and MED-V itself has seen lacklustre interest from customers.  This is not really surprising – deploying, maintaining and administering another operating system image on top of a Windows 7-based SOE represents quite an investment of time and resources, and while the solution is a powerful one a customer contemplating going down the MED-V path would need overwhelming business reasons to do so – it’s not a solution which can be implemented casually.

By constrast, Microsoft Application Virtualization (App-V) has seen widespread interest from business customers and the IT professional community.  Its ability to sandbox virtualized applications from the host operating system means that App-V has found unforeseen roles in mitigating compatibility problems and overcoming security issues.

Here’s where Microsoft has an opportunity to provide an elegant solution to the IE6 dilemma, by developing an App-V-based instance of IE6 and providing it to customers free of charge.  This approach offers the following advantages:

• the application is isolated from the host OS, so client systems are protected from the browsers inherent security vulnerabilities
• as it’s based on App-V, customers have the choice of whether to deliver it via App-V servers or standalone methodologies such as SCCM, GPO or MSI
• server-delivered instances can be patched, tweaked and updated centrally and changes delivered to clients
• the application could be managed via GPO, enabling customers to direct certain URLs to IE6, while the default browsing experience stays with the latest alternate browsers

Because of it deep ties to the operating system, IE6 is probably the last major stumbling block for many businesses to move away from Windows XP.  Windows XP Mode and MED-V haven’t proven to be compelling enough solutions to overcome this problem, but if Microsoft could deliver a sandboxed browser which customers could manage themselves then I think this situation would be dramatically reversed.