UniBrows Adds Security To Internet Explorer 6 Apps

Microsoft Internet Explorer 9 Beta Revealed

If breaking up with Internet Explorer 6 is hard to do, Browsium, a new software startup created by former Microsoft employees, may have the solution: run IE6 inside Internet Explorer 8.

Browsium said its UniBrows software, still in beta, "provides full IE6 functionality and behaviors, including ActiveX controls support, rendering, and JavaScript functionality." Rather than running a virtualized instance of IE6, however, the UniBrows "rendering agent" runs it in an IE8 tab, using Microsoft DLLs. The approach, more streamlined than virtualization, requires only 10MB of memory.

But the biggest upside may be as a way to eliminate IE6's well-documented security flaws.

As Graham Cluley, senior technology consultant at Sophos, has said: "Microsoft itself has urged IE6 users to upgrade to Internet Explorer 8 (as a way of avoiding an attack by a zero-day vulnerability). And yet... plenty of firms and organizations find themselves still running Internet Explorer 6."

Indeed, according to Net Applications, IE6 still accounts for 15% of the world's browser use. But for organizations that rely on custom applications or intranets that only work with IE6, and which don't have budgetary approval to rewrite them for IE8, what's the near-term alternative?

According to Matt Heller, CEO of Browsium, "IE6 is clearly less secure than IE8, so running IE6 standalone, virtualized, or in an IE tab increases the attack surface of a system -- this is clearly unavoidable."

But his company's UniBrows, he said, "offers mitigations that counteract the increased risk of running IE6, something that standalone IE and virtualized solutions do not." For example, UniBrows enables IE6 applications to be administered with Microsoft Management Console, and access to the applications can be managed via Group Policy.

Further security protections are added by a UniBrows plug-in that sits between the IE6 engine and web pages, which watches for suspect behavior, such as "loading an IFRAME, sending content across domains, and installing ActiveX controls," said Heller. Non-permitted activities get blocked outright, or in the case of ActiveX controls, passed to the IE8 security engine for handling.

The plug-in is opt-in by default and granular -- down to individual page behavior -- meaning that attackers can't switch on the rendering engine to then remotely attack IE6. "By enforcing the rules as we do, sites can only render using the IE6 functionality when manually configured by the organization. Unlike Google Chrome Frame or similar solutions, there is no ability for the remote site to trigger the rendering switch," said Heller.

This approach also curtails attacks that attempt to exploit known IE6 vulnerabilities. For example, if an attacker uses a known IE6 bug to attempt to trigger a buffer overflow and then execute arbitrary code -- such as deleting all files on the home drive -- "our process makes the control think that the command was successful when, in fact, nothing really happened," he said.

Browsium hopes to publicly release UniBrows later this month.