Internet Explorer is currently in its 11th iteration, but there are still many computer users who are running older versions of IE. NetMarketShare estimates that almost one percent of total web browser users are still on IE 6.0. A sizeable number considering it was released nearly 14 years ago. Microsoft ended extended support on XP in April 2014 and will be dropping support for Server 2003 in July of this year.
Although a small percentage, that’s still a significant number of folks who are using an unsupported browser. They are soon to be joined by many more. ComputerWorld reported last month that over half of all users of IE (a whopping 60 percent) are currently running browser versions that will become obsolete within less than a year.
That’s because Microsoft, in an attempt to end some of the chaos and confusion – and security nightmares – caused by all the different versions of the browser, announced almost a year ago that beginning at the first of next year (January 2016), the company will support only the most recent version of IE that is available for each operating system.
What does that translate to in practical terms? IE 9 will be supported only on Windows Vista and Server 2008, and IE 10 will be supported only on Windows Server 2012. If you’re running a later operating system (Windows 7 or 8.1, or Windows Server 2008 R2 or 2012 R2), you must upgrade to IE 11 in order to continue to get updates. There will be no more support for IE 6, 7, or 8 on any OS.
Of course, end of support doesn’t mean that the outdated versions of IE will suddenly cease to work. You can still use the older browsers with full functionality – but you shouldn’t. That’s because if you insist on hanging onto the past, you risk more than just looking like a Luddite or missing out on the latest and greatest feature set. You put your whole system at risk of malware and cyberattacks. End of support essentially means no more security patches.
One has only to look at the number of vulnerabilities that are routinely fixed whenever Microsoft issues a cumulative update for Internet Explorer (which is part of most Patch Tuesday releases) to realize that regular patching for your web browser is vitally important. For example, April’s IE cumulative update addressed 10 different vulnerabilities, the March update addressed 12, and so forth. The IE update usually contains one or more fixes that are for vulnerabilities rated critical.
A fully patched web browser doesn’t mean you don’t have to worry about security. Web browsers are a common target of zero day attacks, for which by definition there are no updates available. But updating your browser is one of the most important parts of reducing the risk. Another element is user education since so many browser exploits require user interaction and are accomplished through social engineering tactics.
The real key to getting users off of the old browsers is to get them to upgrade not just their web browsers, but their operating systems. The browser and OS are intricately entwined, particularly in the case of Internet Explorer. The new operating systems now have security mechanisms built in that help to protect against browser-based threats, a feature that the older operating systems don’t have.
The next version of the Windows client operating system, Windows 10, will include a brand new web browser (currently known as Project Spartan) that reportedly will be set as the default browser (IE 11 will also be included for compatibility purposes). We know that Spartan will be a more stripped down (aka “minimalist”) browser, which, in theory, could mean a smaller attack surface. There hasn’t been a lot put out there about Spartan’s security features, although we have heard that it will support HTTP Strict Transport Security, which tells the browser to always use SSL when visiting specific web sites. Spartan also apparently will not support ActiveX plug-ins – which constitute a vector for many exploits.
The catch is that Spartan reportedly will only run on Windows 10. Unlike Microsoft’s usual practice of releasing versions for some of its older operating systems when it comes out with a new version of IE, you’ll have to upgrade the OS to get Spartan. The good news is that for those using Windows 7 and Windows 8/8.1, the upgrade to Windows 10 will be free, at least for the first year after it’s released.
For enterprises, upgrading to the latest and most secure web browser is just good for business. Malware and other attacks result in expensive down time, loss of mission-critical data and in many cases damage to a company’s reputation and loss of current customers and future business. A study conducted by the Ponemon Institute showed that a majority (55 percent) of malicious software attacks were accomplished by exploiting web browser vulnerabilities, with more than 75 percent of enterprises having been infected with malware through insecure web browsers.
All in all, then, pulling support for older browsers that can’t be properly secured is a smart move on Microsoft’s part. It will then be up to individuals and organizations to follow Microsoft’s lead and make their own smart move to upgrade their browsers and/or operating systems.