UniBrows Adds Security To Internet Explorer 6 Apps

Startup Browsium could help eliminate security concerns for firms that dont have the budget to update their IE6-based apps or intranets for safer browsers.

Slideshow: Microsoft Internet Explorer 9 Beta Revealed

(click image for larger view and for full slideshow)
If breaking up with Internet Explorer 6 is hard to do, Browsium, a new software startup created by former Microsoft employees, may have the solution: run IE6 inside Internet Explorer 8.
Browsium said its UniBrows software, still in beta, provides full IE6 functionality and behaviors, including ActiveX controls support, rendering, and JavaScript functionality. Rather than running a virtualized instance of IE6, however, the UniBrows rendering agent runs it in an IE8 tab, using Microsoft DLLs. The approach, more streamlined than virtualization, requires only 10MB of memory.
But the biggest upside may be as a way to eliminate IE6s well-documented
security flaws
.
As Graham Cluley, senior technology consultant at Sophos, has said: Microsoft itself has urged IE6 users to upgrade to Internet Explorer 8 (as a way of avoiding an attack by a zero-day vulnerability). And yet... plenty of firms and organizations find themselves still running Internet Explorer 6.
Indeed, according to Net Applications, IE6 still accounts for 15% of the worlds browser use. But for organizations that rely on custom applications or intranets that only work with IE6, and which dont have budgetary approval to rewrite them for IE8, whats the near-term alternative?
According to Matt Heller, CEO of Browsium, IE6 is clearly less secure than IE8, so running IE6 standalone, virtualized, or in an IE tab increases the attack surface of a system -- this is clearly unavoidable.
But his companys UniBrows, he said, offers mitigations that counteract the increased risk of running IE6, something that standalone IE and virtualized solutions do not. For example, UniBrows enables IE6 applications to be administered with Microsoft Management Console, and access to the applications can be managed via Group Policy.
Further security protections are added by a UniBrows plug-in that sits between the IE6 engine and web pages, which watches for suspect behavior, such as loading an IFRAME, sending content across domains, and installing ActiveX controls, said Heller. Non-permitted activities get blocked outright, or in the case of ActiveX controls, passed to the IE8 security engine for handling.
The plug-in is opt-in by default and granular -- down to individual page behavior -- meaning that attackers cant switch on the rendering engine to then remotely attack IE6. By enforcing the rules as we do, sites can only render using the IE6 functionality when manually configured by the organization. Unlike Google Chrome Frame or similar solutions, there is no ability for the remote site to trigger the rendering switch, said Heller.
This approach also curtails attacks that attempt to exploit known IE6 vulnerabilities. For example, if an attacker uses a known IE6 bug to attempt to trigger a buffer overflow and then execute arbitrary code -- such as deleting all files on the home drive -- our process makes the control think that the command was successful when, in fact, nothing really happened, he said.
Browsium hopes to publicly release UniBrows later this month.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
UniBrows Adds Security To Internet Explorer 6 Apps