January 14, 2016

Old versions of Internet Explorer no longer supported: does it spell trouble?

Business

Threatpost released a great article about new (actually not really new) trouble for businesses related to Microsoft products. The fact is: Microsoft dropped security support for Internet Explorer versions 8, 9, and 10 on some Microsoft platforms last week. It wasn’t sudden, of course: A warning was issued 18 months ago. There was some time to get rid of it. Unfortunately, it wasn’t so easy to accomplish.

Why so?

Custom (homegrown) web applications is the answer. A lot of them were built for IE 8,9, or 10, and businesses weren’t in a hurry for, what Threatpost calls, “a costly retool of those programs to work seamlessly on IE 11 or the new Edge browser”.

Netmarketshare.com shows that while IE 11 holds more than 25 percent of market share, IE 8, 9 and 10 combined still account for more than 20 percent. Some estimates are giving IE 9 and 10 a combined share of 36% on Windows 7, 8, or 8.1.

Attack surface

There was a lot of anxiety regarding last year’s drop of Windows XP support from Microsoft’s side. Fortunately, the “malware apocalypse” for the remaining Windows XP machines (and there are still more than a few of them in circulation) never happened.

main

But attacking XP vulnerabilities, for a number of reasons, is more difficult to perform, compared to that of attacking browsers. The latter is used to connect to a huge multitude of various web resources, including potentially unsafe ones which make them a nice and quite vast attack surface.

It was well known that IE support was to be dropped, so attackers might have been well prepared to take advantage of this circumstance. Threatpost also cites experts saying that the attackers “will easily learn new attack techniques by analyzing future IE 11 updates”, since about 2/3 of version 11 flaws equally required patching in the previous versions.

Microsoft isn’t completely abandoning IE 8, 9 and 10, however. IE 9 will still be supported on Vista SP 2 desktops, while IE 9 will be continue to receive support on Windows Server 2008 SP2 and IA64, while IE 10 will be supported on Windows Server 2012.

Unsupported software

Obsolete software and data protocols are a common and long-standing problem: for apparent reasons businesses tend to cling to “things that work”, and some custom solutions written for certain platforms and/or dependent on specific versions of specific software may live just a bit too long for everyone’s good, becoming a borderline threat itself, at least as a wide-open entry point for the attackers.

IE has a history of being a target of malicious attacks. Once the most popular browser in the world, its older versions were plagued with a multitude of vulnerabilities, and most likely there are yet a lot of 0days to be discovered later.

So if it is impossible to get rid of these old browsers it is recommended to limit their use as much as possible (and use other browsers for non-job web-surfing), and keep them under constant scrutiny, with an efficient security solution keeping it in check and preventing exploits from successful attacks.