Microsoft is ending support for all versions of its Internet Explorer (IE) web browser with the exception of the latest version 11. The end of support comes with security risks for users that fail to upgrade.
Microsoft, which is now focusing on its new Edge browser, will stop rolling out security updates for Internet Explorer versions 8, 9 and 10, leaving users vulnerable to malware attacks.
Cyber-security firm Tripwire said that according to estimates, only 55 per cent of Internet Explorer users, some 340 million people worldwide, are currently on the latest, still supported, version.
“It is safe to assume that cyber-criminals have been stockpiling IE vulnerability information ahead of the support cut-off, and they will easily learn new attack techniques for older versions by analysing future IE 11 updates,” said Craig Young, security researcher at Tripwire.
“Rough estimates indicate that more than two-thirds of the vulnerabilities addressed in IE 11 also required patching in previous IE versions.”
Tripwire recommended users, who for any reason can’t upgrade to the version 11, not to use the unprotected systems when logged in as administrators. Attacking admin accounts is a known way for spreading malware into computer networks.
The firm also said that businesses with application requirements for older web browsers should block browsing from vulnerable systems to limit problems that tend to arise during the lunch hour when employees start exploring the web.
“It’s a cruel reality, but in an age of continual cyber-threats, there are no excuses for not carrying out browser updates,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernised.”
He added that IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers.