It’s the end of the line for Internet Explorer 8, 9 and 10 — and Windows 8. Microsoft first warned the world it was putting the kibosh on older IE versions back in August 2014. Today, in conjunction with Microsoft’s first Patch Tuesday of the year, it’s official.
Microsoft is still offering technical support and security updates for IE 11, but the legacy versions (8, 9 and 10) are out in the cold after this final patch. KB3123303 is the official “End of Life” upgrade and offers a cumulative security update for the three phased out versions of Internet Explorer.
Ultimately, the move puts consumers who continue using the older versions at risk for malware because Microsoft will not continue plugging the holes that hackers are bound to discover. And that’s potentially a lot of people, given a December report from StatCounter Global Stats that indicates that over 5 percent of all Web page visits came from unsupported browsers.
Attackers Lying in Wait
“It is safe to assume that cybercriminals have been stockpiling IE vulnerability information ahead of the support cutoff, and they will easily learn new attack techniques for older versions by analyzing future IE 11 updates,” said Craig Young, security researcher for advanced threat protection firm Tripwire’s Vulnerability and Exposure Research Team (VERT), in a statement.
“Using Tripwire’s VERT vulnerability database, rough estimates indicate that more than two-thirds of the vulnerabilities addressed in IE 11 also required patching in previous IE versions,” he said.
So what are consumers who are using older versions of IE supposed to do? What if enterprises cannot switch to IE 11 immediately? How can they ward off malware?
Tripwire offers three suggestions:
1. Standard User Focus
The first step seems straightforward enough, but it’s vital. Tripwire suggests ensuring that every user is running as a “standard user” on Windows browsers. The other option is an administrator-level user on a company’s local systems. Designating standard users will reduce the risk of browser-based malware attacks circulating the Web.
2. Block Browsing
If your applications demand working with older Web browsers, now is the time to block browsing from systems that are vulnerable. This will avoid, or at least cut back, on issues that may occur when employees start surfing the Web on their free time.
3. Deploy Network Protection Rules
To drop HTTP requests based on vulnerable user-agent strings, IT staff should think about deploying network protection rules. Advanced users may be able to change the user-agent string and bypass these restrictions. Ultimately, the goal with these rules is to make the attack surface on older browsers smaller.
Now Is the Time to Move
Tim Erlin, director of IT security and risk strategy for Tripwire, pointed to a cruel reality: In an age of continual cyberthreats, there are no excuses for not carrying out browser updates.
“Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11,” Erlin said. “For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place — the longer older versions of IE are unsupported, the more attackers will target them.”