Anxiety was high around April 8, 2014 when Microsoft officially closed the door on security support for Windows XP. Many envisioned black hats worldwide stockpiling exploits waiting for the day when XP machines would be left permanently exposed.
The anticipated malware apocalypse, however, never really came for the remaining XP machines in circulation.
And now here we are again with another important Microsoft-imposed deadline at hand, and again anxiety is bubbling—but perhaps with good reason this time.
Next Tuesday will bring the first batch of Microsoft security bulletins for 2016 and it will also herald the end of security support for Internet Explorer versions 8, 9 and 10 on some Microsoft platforms. Microsoft made the call almost 18 months ago, giving businesses ample time to prepare for the day when those versions of IE, battered by zero-days, exploit kits and targeted attacks, should be retired.
Reality, however, usually bites.
Enterprises and midmarket companies reliant on homegrown web applications that were built for IE 8, 9 or 10 aren’t in any hurry for a costly retool of those programs to work seamlessly on IE 11 or the new Edge browser. Statistics from a number of sources bear out the fact that there remains a significant percentage of web traffic moving through IE. Netmarketshare.com, for example, says that while IE 11 holds more than 25 percent of market share, IE 8, 9 and 10 combined still account for more than 20 percent. Researchers at Duo Security, examining traffic moving through their services, put the percentage a bit higher for IE 9 and 10—almost 36 percent—running on Windows 7, 8, or 8.1.
Given that browsers historically offer hackers a much juicier attack surface than operating systems, folks may want to take Tuesday’s deadline seriously.
“In most cases an attacker will need to already have access to a local network or be able to trick users into opening malicious files as part of a successful attack leveraging Windows XP vulnerabilities,” said Tripwire security researcher Craig Young. “The web browser on the other hand is of course used to constantly process data from potentially untrusted sources leaving users exposed to a wide range of attack.”
Microsoft, for its part, continues to roll out patches for IE at a near record pace. Patch Tuesday the second Tuesday of every month brings with it routine cumulative updates for the browser, sometimes addressing two- or three-dozen CVEs, most of which enable remote code execution and bypass some existing security mitigation.
“Attackers have known since the summer of 2014 that Microsoft was dropping support for IE; it’s reasonable to assume that attackers know people are staying on these platforms and will take advantage of the circumstances,” said Michael Hanley, program manager of research and development at Duo Security. “We still expect an aggressive effort against IE 8, 9 and 10 going into 2016.”
Microsoft isn’t completely abandoning IE 8, 9 and 10, however. IE 9 will still be supported on Vista SP 2 desktops, while IE 9 will be continue to receive support on Windows Server 2008 SP2 and IA64, while IE 10 will be supported on Windows Server 2012.
Tripwire’s Young said that while attackers may not be hoarding IE 8, 9 and 10 exploits right now, they are going to be paying attention what’s patched in IE 11 going forward.
“It is also quite safe to assume that even without attackers stockpiling IE vulnerability information ahead of the support cut-off that attackers will easily learn new attack techniques by analyzing future IE 11 updates,” Young said. “Some rough estimates using Tripwire VERT’s vulnerability database indicates that more than two-thirds of the vulnerabilities addressed in IE 11 also required patching in previous versions.”
And then there’s application compatibility. Enterprises, experts said, should weight the cost of updating applications to work with the newest browsers against the cost of a breach of a legacy system via IE.
“The cost of a breach is so high, companies need to move toward apps that support latest security technology, browsers and OSes,” Hanley said.
Young notes that this is one instance where consumers, because of Windows Update automation, may already be on IE 11 and ahead of business implementations in terms of security.
“With some applications it can be non-trivial to port code to the newer browsers with many organizations trying to defer the associated costs for as long as possible,” Young said. “While there may not be an immediate security risk from using an industry specific web applications with the unsupported browser, problems arise during the lunch hour when employees start exploring the web. Businesses with application requirements for older web browsers would be well advised to block browsing from these systems.”