|Home » Security
Locked Into IE6?
Brian Krebs published a sure-fire way to get people to ditch IE6.
This past week I was reminded of a conversation I had with an ethical hacker I met at the DEF CON security conference in Las Vegas a couple of years back who showed me what remains the shortest, most elegant, and reliable trick I've seen to crash Internet Explorer 6:
Type or cut and paste 'ms-its:%F0:' into the address bar.
According to Alex Holden, some even more rancid versions of IE6 will also crash on 'its:©:'. Krebs:
There is one interesting possible use for this snippet of crash-inducing code. Maybe someone you know and care about insists on using IE6 or refuses to upgrade to IE7 or IE8. Install Firefox or some other browser alternative and then change their home page to 'this'.
Chances are good they will never be able to open IE6 again.
Another good trick would be to put IE redirects to 'ms-its:%F0:' on web pages.
But We're Locked In!
A lolcat that doesn't buy into that MCP/MVP locked-in bullshit.
An increasingly heard (and arrogant) complaint comes from grunts working at corporations seemingly 'locked in' to Windows and IE6.
As if the other Windows plebes in the forums are to wake up, get a clue, and join the world of the grownups.
But hacking into that mouthful is even easier (and a lot more fun) than crashing IE6. Consider the following.
- IE6 was released on Monday 27 August 2001.
- IE5 was released on Thursday 18 March 1999.
- ILOVEYOU caused billions in damages a year earlier.
- Code Red caused worldwide damage six weeks earlier.
- Code Red II started wreaking havoc three weeks earlier.
Between ILOVEYOU and Code Red II there was a formidable slew of related attacks. The battlefields were covered in blood. Anybody from Infosec had to be living in a cave (or stuck in a Microsoft MVP course) to miss this.
The point being that by Monday 27 August 2001, any security 'expert' with half a brain understood that security is an iterative process, that patches and updates are necessary, and so forth.
Besides: the ambition to lock an entire corporate infrastructure into a nonstandard solution (IE6) that isn't even compatible with successive versions (IE7, IE8) speaks of an unparalleled level of collective corporate stupidity.
Part of Microsoft's now infamous strategy to bar entry of platform independent code through Netscape Navigator was to pretend to embrace web standards and then sell Microsoft's exclusive extensions - extensions which more often than not proved to be carriers of further attack vectors. Some corporations were intelligent enough to see through the sham; those that didn't see through it are the ones complaining today that they're 'locked in'.
Pathetic prattle about being locked into IE6 doesn't win sympathy or respect. Only derision and laughter.
Rixstep's The Technological: Aurora
Krebs on Security: Another Way to Ditch IE6
Radsoft Security: Protecting Your Windows File System
Radsoft News: Microsoft on IE8 Exploit: 'There Is No Patch'