Announcing back in August of 2014 that it would end support for versions 8, 9 and 10 of Internet Explorer - Microsoft has today kept its promise while, according to ComputerWorld, 170 million still use the expired versions of the Windows-based browser.
Releasing the final patch for Internet Explorer 8, 9 and 10 today, January 12th -- along with an "End of Life" notice, Microsoft is encouraging users to switch to Internet Explorer 11 and Microsoft Edge, which is part of the company's bigger plan to transition customers onto Edge -- which is currently only available on Windows 10 computers.
The end of life notices mean that Internet Explorer won't receive any more security updates, or other patches. Those still using the browsers could be vulnerable to security threats and even hacks, depending on what other (if any) security software you have installed. The move means that only Internet Explorer 11 is still supported by Microsoft.
Mike Hanley, R&D bod at Duo Security spoke to SC and said the company is looking to evangelise the upgrade process, especially within its users, as it is still seeing around 10-20 vulnerabilities a month within the expired browsers which 44 percent of its users are still using.
Highlighting the urgent need for businesses to upgrade, Hanley explains, “The cost of both upgrading browsers on company machines, and upgrading software that a company uses that relies on an older version of the browser is far out-weighed by the cost of a breach”.
Hanley went on to say that “the bad guys have had 18 months to search for different attack vectors and develop them since Microsoft announced the end of life of older versions of IE, which could be released once Microsoft will no longer patch against it”.
According to Microsoft, Edge has been designed and built completely separately to Internet Explorer, so naturally takes up much of the engineering capacity previously dedicated to older versions of IE. The team behind Edge are promising the speed and usability that the older browser was lacking in; integration with Cortana -- the company's virtual assistant; its own reading list for saving pages and articles for later and a doodle mode that lets you make notes etc on a web page.
In an email to SCMagazineUK.com, Gavin Millard, technical director of Tenable Network Security suggested a way in which businesses might be able to main a degree of security while using legacy versions of Internet Explorer, "Whilst many home users have moved to the latest versions of Internet Explorer supported on their respective operating systems, the end of support could impact businesses that rely on older versions of IE to access legacy systems.
"For organisations that have to maintain an older version of IE for backwards compatibility, with the lack of updates, other compensating controls should be put in place to ensure the browsers aren't targeted. This could include implementing filtering to only allow the browser access to the legacy systems, and continuous monitoring of outbound traffic to identify when an unsupported browser is communicating outside of the network."
Troy Gill, manager of security research of AppRiver said that, "Businesses running applications that are reliant on older versions of IE can continue to do so but it will be to their detriment. Microsoft first announced it would end IE support back in 2014 so this should not come as a surprise to anyone but if a business has been holding out until the last minute, then that time has come. The transition may be eased for some by features available in IE11 Enterprise Mode that offer emulation for older versions of IE.”
He went on to explain that "Hackers, cyber-criminals and the like are always looking for new ways to gain access to systems. In many cases these vulnerabilities are found in out-of-date/unpatched software installed on the target machine. In this case, older versions of IE will no longer receive security patches. Over time, as more vulnerabilities are discovered in the browser, the browser becomes a greater security risk because it is not getting the critical security patches that would ordinarily be applied to a supported browser."
Craig Young, security researcher at Tripwire's Vulnerability and Exposure Research Team (VERT) said, “It is safe to assume that cyber-criminals have been stockpiling IE vulnerability information ahead of the support cutoff, and they will easily learn new attack techniques for older versions by analysing future IE 11 updates.”
“It's a cruel reality, but in an age of continual cyber-threats, there are no excuses for not carrying out browser updates,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE11. For applications that aren't ready in time, IE11 offers a ‘compatibility mode,' which should provide an interim solution until those applications are modernised. If you don't have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”
Fraser Kyne, principle systems engineer at Bromium said, “The end of support for older versions of IE will force businesses to balance the theoretical risk of an attack and the real business cost of updating their web-based applications.”