Now Microsoft says get off old IE versions, as it's pulling the plug on support

Written by

It may only collect six percent of the browser market, but Microsoft’s Internet Explorer remains to be used in homes and businesses, and in the security headlines.

Cast your mind back to 2010, when a zero-day vulnerability in IE6 was exploited by attackers in the Operation Aurora incident. As well as the severity of the attack, the incident showed how many users were on an outdated version of the Microsoft browser, something that it fixed but five months later it likened using the older browser to “drinking out of date milk”.

According to statistics from November 2015, 1.6% of IE users used versions previous to IE11. So in some effort to negate this problem, Microsoft announced that it will only support the most current version of IE (IE11) from Tuesday 12th.

Many would assume that it is as simple as updating the browser on your desktop, and that may be the case for home PC users, but what about businesses? My initial thought was this could cause problems for businesses who have built applications in previous IE versions, and cannot quickly push an update out for fear of those apps no longer working?

Many of those I talked to about this issue agreed that upgrading was the best option. Troy Gill, Manager of Security Research at AppRiver said that Microsoft first announced they would ‘end of life’ IE back in 2014, but the transition may be eased for some by features available in IE11 Enterprise Mode that offer emulation for older versions of IE.

Dwayne Melancon, CTO of Tripwire, agreed saying that IE11 does offer a “compatibility mode” which should provide an interim solution for most applications that aren’t ready to run properly on IE11 in its native mode.

“Microsoft has telegraphed this for quite some time which makes it likely that many app developers have at least started the process of modernizing their apps to work with IE11,” he said.

“If a user or company simply cannot switch to IE11 and must run an older version of the browser, the best course of action is to ensure that all users are running as ‘Standard’ users on Windows, rather than as Administrator-level users on their local systems. This will mitigate the risk of the most common browser-based malware attacks.”

This is one option for businesses, but I still believe that there will be reprocussions. Gavin Millard, technical director EMEA at Tenable Network Security, said: “For organisations that have to maintain an older version of IE for backwards compatibility, with the lack of updates, other compensating controls should be put in place to ensure the browsers aren’t targeted.

“This could include implementing filtering to only allow the browser access to the legacy systems, and continuous monitoring of outbound traffic to identify when an unsupported browser is communicating outside of the network.”

This news isn’t really a surprise to many, but it doesn’t stop it being a major inconvenience. In November 2015, statistics show that 2.2% of the 79% of Microsoft desktop OS use was on XP – an OS for which supported ended in 2014.

This end of life support will impact users both at home and in the workplace, but ultimately the industry was well informed of this decision and has had time to prepare - just as it did with XP. Microsoft cannot support legacy software forever, and while inconvenient, this decision will enable Microsoft to be offer more secure solutions.

What’s hot on Infosecurity Magazine?