DoH urges NHS staff to stop using IE6

Doctor at computer

The Department of Health (DoH) has urged all NHS staff still using Internet Explorer 6 (IE6) to upgrade to version 7 of the browser as soon as possible.

Earlier this month, Microsoft issued details of a security vulnerability identified in IE6 that allows remote execution of malicious code via an invalid pointer reference.

This was reportedly the route identified as having been used by Chinese hackers to infiltrate the systems of Google and several other large companies in December a move that saw Google threaten to pull out of China altogether.

Microsoft has since issued an out-of-band security patch for IE6 to address the issue, while the Cabinet Office has issued an advisory to Government departments on update from the browser.

And now, in a four-page bulletin (PDF) issued by the department's informatics directorate, the DoH's staff have been urged to take action to ward off potential "reputational damage".

Staff are warned that the vulnerability could allow cyber criminals "to download and install further malware/spyware on to the computer, add user accounts to the computer [and] steal sensitive data held locally and centrally".

The warning continues: "It is also possible that exploiting this vulnerability could allow for the compromised computer to be used as a staging point' for further attacks against other computer systems including those outside of the organisation.

"If an organisation has systems compromised via this vulnerability, there may be consequential reputational damage, especially if sensitive data is affected or the compromised system is used to attack other systems."

Employees and departments have been urged to act quickly, at the very least to apply Microsoft's newly issued patch, but also to look at upgrading the browser itself.

"It is recommended that this update is applied to all affected computers within an organisation. Organisations should ensure that appropriate levels of testing of the update take place prior to mass deployment," the guidance adds.

"It is additionally further recommended that organisations still using Internet Explorer 6 on the affected platforms upgrade to Internet Explorer 7. [It] has been warranted to work correctly with Spine applications such as CSA and provides additional security features over Internet Explorer 6."

Despite Microsoft's own recommendation that users upgrade to IE8, the NHS instead advises only the step up to IE7 recognition of the reality of just how out of date many public systems are.

The Guardian reports that three quarter of a million NHS workstations use the combination of Windows XP and IE6, and to this day all new web applications must be compatible with the combination.