path: root/published/ie6upgradeguide.txt

Microsoft has a problem: despite the company's best efforts, Windows XP won't die. 

People love the venerable operating system and just don't want to upgrade. Microsoft recently moved from carrots -- upgrade to Windows 8! It's shiny, it's new! -- to sticks, announcing that in April 2014 the company will cease offering security updates for Windows XP.

That undercuts the if-ain't-broke-don't-fix-it mentality that has helped XP hang around for so long, particularly in the enterprise sector where businesses are loathe the change and many educational institutions and non-profits simply can't afford it.

Unfortunately for such users, come April 2014 you are being thrown to the wolves. 

It's time to upgrade or become vulnerable to attack. It might not seem like the end of security updates would be that big of a deal -- after all, it's been nearly 15 years now, haven't attackers found all the vulnerabilities out there already? The problem is, even if that were true -- and it's not -- Microsoft will continue to issue security updates for Windows Vista, Windows 7 and Windows 8, which means attackers have a script to work from when going after Windows XP. As Tim Rains, Microsoft's Director of Trustworthy Computing, wrote in <a href="http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx">a blog post</a> earlier this year, "the very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities."

In other words, every security update Microsoft releases after April 2014 will serve as a blueprint for how to attack Windows XP. Windows XP won't necessarily be vulnerable to them all, but all it takes is one.

If you've long since left Windows XP behind you may wonder why others have stuck with it for so long. The answer, particularly in the enterprise sector, is software. Legacy software that would be too expensive, or, in some cases, very time consuming to re-write keeps many a business soldier on with XP. 

Much of that software happens to be browser-based -- intranet apps written specifically for Internet Explorer 6. When Windows XP is swept into the dustbin of computing history next year IE 6 will go with it. The much-maligned, but still widely used Internet Explorer 6 is also reaching the end of its support life. Like the OS that gave birth to it, IE 6 just doesn't seem to die, though in the case of the browser the reasons are perhaps more practical -- countless intranets and private apps in companies big and small were written specifically to run in Internet Explorer 6.

This is, on one hand, an excellent argument for the business benefit of writing app to web standards rather than the browser du jour. Out on the web this lesson was learned the hard way when Internet Explorer 6 lost market share and websites that required it were forced to change to web standards. These days websites and web apps are developed against web standards and will work in any browser that supports those standards. 

That same market pressure was never applied to intranet sites which were only ever accessed privately, within a company. Now Microsoft is applying that pressure and many an IT department is learning what web developers already know -- browser specific apps are a bad idea.

If you've got legacy apps that require IE 6 here's the good news: if you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants. And by "if" I mean "when" because the old world of XP and IE 6 is going away whether you like it or not.

How hard it is to convert your apps to work in modern browsers will vary. If your app just uses non-standard CSS and consequently renders poorly in modern browsers it likely won't be too hard to update it.

If, on the other hand, your app relies on tons of ActiveX elements it's going to be much harder to update it. While ActiveX made it easy to build apps by connecting your code to system code -- i.e. no need to write a video player, just call the ActiveX control -- it also tightly integrated your app with the (now obsolete) system code. Easy at the time, difficult down the road.

What do you do if your company just doesn't have the resources to update a mission-critical app before April 2014? There is one possible stop gap measure that may help, Internet Explorer's "Compatibility View".

While the end goal for any business should to be a move away from vendor-compliant web apps to standards-compliant apps, sometimes it's not possible to do everything at once. To help ease the transition from IE 6 to something a bit more modern you may want to, at least for a time, follow Microsoft's upgrade path. That is, jump from IE 6 to IE 8 or higher and use Compatibility View to make IE 10 render as IE 7. 

The question is how far should you jump? IE 8? IE 9? IE 10? Now IE 11 is on the horizon. Fortunately you can narrow that considerably by just bearing in mind that the real key to making your legacy apps work is Compatibility View. In other words, there's no reason not to jump all the way to the latest version, IE 10 at the time of writing. 

IE 10 can emulate IE 7 just like IE 8 does, but the rest of the time your employees will be using a much better browser. IE 10 is faster, supports more modern web standards and offers a cleaner user interface. IE 10 is the best version of IE that Microsoft has ever shipped and if you're going to upgrade, you may as well upgrade all the way to IE 10.

To make sure that IE 10 still renders your legacy intranet app properly you'll just need to add a meta tag to your tag to your app's head tag. The Internet Explorer Dev Center has full details on the various ways you can turn on IE 10's Compatibility Mode. Probably the simplest is to just add a "X-UA-Compatible" meta tag to your apps' HTML head tags. That will tell IE 10 to render the page as IE 7 would have.

For some apps this may help, but note that it's emulating IE 7, not IE 6. None of Microsoft's later releases are capable of rendering as IE 6. It really was that bad.

While even rendering as IE 7 may not work completely, it should mean a little less work since it shares many of the non-standard behaviors (ActiveX, etc) of IE 6 and many of its rendering quirks as well. Ideally that means you'd just need to make a few changes to get your legacy apps working in IE 10 compatibility mode. There is also an IE 5 mode, that emulates what's known as "quirks mode" that you can try if IE 7 mode just isn't cutting it.

Between these two compatibility modes most apps should be able to escape the it's-all-going-to-hell-in-April woods.

Moving to IE 10 for your legacy apps means you can also move to Windows 7, if not all the way to Windows 8.

This is not, however, a future-proof solution. 

What you've done so far is shift browser support. If your company would like to move away from not just the dead end legacy apps it's still dependent on, but the very reason those dead end apps are still around, then you might want to kick Internet Explorer to the curb.

What you want to do is shift platform support. That is, instead of supporting Microsoft, support the web. Build to web standards as defined by the W3C and you're no longer beholden to any one browser or any one company.

Provided you do that you're free to move away from Internet Explorer completely. That opens any number of possibilities, though the most enterprise-friendly options are Firefox and Google Chrome.

Mozilla offers an Extended Support Release of Firefox aimed at Enterprise environments. Each ESR release of Firefox is maintained for approximately one year, with point releases containing security updates coinciding with regular Firefox releases (currently every six weeks). Support is limited to Mozilla’s <a href="https://mail.mozilla.org/listinfo/enterprise">Enterprise Working Group mailing list</a>.

For administrators there's also <a href="http://homepages.ed.ac.uk/mcs/FirefoxADM/Readme.htm">FirefoxADM</a>, which allows you to manage Firefox through Active Directory, more or less just like you're doing with IE 6 now.

While Firefox is a viable option in many situations, Mozilla has not historically put much effort into the enterprise. As the ESR release demonstrates, that's starting to change, but for some it likely isn't changing fast enough.

Google Chrome is another possibility, one that's increasing appealing particularly to companies relying on Google's enterprise webapps for other aspects of their business. In other words if you're using Gmail or Google Apps for Enterprise anyway, you might want to look into Google Chrome as well.

Google recently upped the ante for Enterprise, offering the <a href="http://www.theregister.co.uk/2013/04/17/google_legacy_browser_support/">Chrome Legacy Browser Support extension</a>. The Chrome Legacy Browser Support extension allows you to upgrade to Google Chrome while still opening your legacy apps in IE. 

The extension uses an exception list -- compiled and maintained by your IT department -- of sites that will cause Chrome to open them in what Google calls "legacy" browsers. That's Google-speak for Internet Explorer. In other words you can deploy Chrome, your employees can use it 99 percent of the time and enjoy access to the latest and greatest on the web, but when they need to access an legacy app Chrome will automatically open IE. 

There's a corresponding plugin for IE as well, so that when your users navigate away from the legacy app they will directed back to Chrome. 

The Chrome Legacy Browser Support extension works with IE 6 - IE 10.

Like Firefox, Google initially didn't offer much enterprise support for Chrome, but the company has changed its tune over the years. These days Google is also working hard to make Chrome more enterprise-friendly by providing more tools for IT departments to manage large deployments. Google boasts some 150 tools for deploying and controlling Chrome in the enterprise.

For example, one big potential road block for many large companies is Chrome's frequent update schedule, with new releases arriving every six weeks. To address that Google allows enterprise deployments to set their update policy to manual. The trade off course is that you may miss security updates. 

There are also tools to manage extensions and web applications so you can provide, for instance, a pre-installed version of your web app. It's even possible to deploy a private version of Chrome's web store with just the apps you want to make available to your employees.

The end of Internet Explorer 6 and Windows XP is going to be a painful time for companies that have thus far been keeping their heads buried in the sand. There's really no way to sugar coat it, you're screwed. The transition will very likely be a bumpy one, even with tools like Compatibility Mode and the Chrome Legacy Browser Support extension. That said, this is also an opportunity to future-proof your business, to make sure you don't get screwed again. Whether that means moving away from the Internet Explorer browser completely or not, at the very least make sure your apps comply with web standards. This time around stick with the standards that have been established to avoid the very predicament you're in; this time stick with the web.