The ghost of Internet Explorer will haunt the web for years
After a 13-month slump and the end of the last 13 months, Microsoft on Wednesday confirmed the retirement of Internet Explorer, the company’s long-lived and increasingly infamous web browser. Launched in 1995, IE has been pre-installed on Windows computers for almost two decades, and like Windows XP, Internet Explorer has become a staple — so much so that when it comes time for users to upgrade and move on, they usually don’t. And while last week’s milestone will keep more users away from historical browsers, security researchers stress that the IE and many of its security vulnerabilities have been removed.
In the coming months, Microsoft will disable the IE app on Windows 10 devices, instead guiding users to its next-generation Edge browser, which was first released in 2015. The IE icon will still remain on users’ desktops, and Edge includes a service. This is called “IE mode” to save access to older websites created for Internet Explorer. Microsoft says it will support IE mode at least until 2029. In addition, IE will still work on all supported versions of Windows 8.1, Windows 7 and Windows Server with Microsoft’s extended security updates, although the company says it will eventually phase out IE. In this, too.
Seven years after Edge’s debut, industry analysis suggests that Internet Explorer may still hold more than half a percent of the total global browser market share. And in the United States, that share could be closer to 2 percent.
“I think we’ve made progress, and in the future we may not see as much exploitation against IE, but we will have a lot of remnants of Internet Explorer that could be exploited by scammers,” says Ronnie Tokazowski, a longtime independent malware researcher and head of the cyber security firm Cofense. Risk Advisor. “The browser will be gone as Internet Explorer, but some pieces still exist.”
For something as long as IE, backward compatibility is hard to balance with the desire for a clean slate. “We haven’t forgotten that some parts of the web still depend on the specific behaviors and features of Internet Explorer,” Sean Lindersey, general manager of Microsoft Edge Enterprise, wrote in IE Preview, pointing to IE mode on Wednesday.
But he added that there is a real need to start with Edge rather than trying to save IE. “The web has evolved and so have browsers,” he wrote last week. “Increased improvements in Internet Explorer may not match the general improvements on the web at large, so we got a fresh start.”
Microsoft says it will still support IE’s built-in browser engine, known as “MSHTML”, and is still eyeing versions of Windows that are used in “critical environments”. But Maddie Stone, a researcher on Google’s Project Zero Vulnerability Hunting team, points out that hackers are still exploiting IE vulnerabilities in real-world attacks.
“Since we started tracking in-the-wild 0-days, the number of 0-days per year in Internet Explorer has been consistent. Despite the declining market share of Internet Explorer’s web browser users, the most in-the-wild Wild Internet Explorer we’ve tracked so far is 020 days for 2016 with 2021, “she wrote in April, with previously unknown vulnerabilities, called zero days.” Internet Explorer is still a good attack surface for early access to Windows machines, even if the user is not using Internet Explorer as their Internet browser. “
In her analysis, Stone specifically noted that the number of new IE vulnerabilities discovered by Project Zero is fairly stable, but the attackers have moved more and more to target the MSHTML browser engine through malicious files such as tainted office documents. This may mean that neutering the IE application will not immediately change the trend of attacks that are already in motion.
Considering how difficult it is to rein in Internet Explorer, Microsoft and IE users around the world have certainly reached a very large level. But for browsers that are considered dead, IE still has a lot of load on the living.