Endpoint
1/13/2016
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Top Survival Tips For IE End-Of-Life

If an immediate upgrade to the latest version is not an option for all your machines running Internet Explorer, here's how to mitigate your risk.

As of Tuesday, Microsoft will support only the most current version of the Internet Explorer (IE) browser available on any given client, server, or embedded operating system. In other words, a lot of systems are about to become less secure.

For example, any client machine running Windows 7 SP1 or later must be operating IE 11 if they still want security updates. Yet, according to December statistics from Net MarketShare, IE versions 6 through 10 still collectively account for 20.65 percent of the desktop browser market. 

"[End-of-life] software does not receive security updates and is easy to compromise," says Qualys CTO Wolfgang Kandek. "Attackers frequently target such systems for drive-by type of attacks as they are guaranteed to have no security fixes and successful exploitation is easy using public exploits."

Time to upgrade then, right? Not so fast.

"For most users, upgrading to the latest IE should be smooth and it’s a good move to retire old codebase," says Kandek. "But some organizations are using older IE versions because they have custom legacy web applications that break with newer browsers. For such organizations, the EOL move from Microsoft may feel like visiting the dentist after five years!"

So what can businesses that need to hold on to unsupported versions of IE do to reduce their risk?

Install Latest Patches

Yesterday, Microsoft issued its final patches for these end-of-life IE versions, and those patches fixed critical remote code execution vulnerabilities. While you're making your overdue migration plan, at least make sure to slap some spackle over the latest hole.

Reduce Privileges

James Maude, senior security engineer of Avecto says "our recent research into Microsoft’s Patch Tuesday security bulletins found that 99.5% of all vulnerabilities in Internet Explorer could be mitigated by removing admin rights alone."  

Tripwire recommends businesses "Ensure all users are running as standard users on Windows browsers, rather than as administrator-level users on their local systems. This will mitigate the risk of many common browser-based malware attacks."

Disconnect When Possible

"Businesses with application requirements for older Web browsers should block browsing from vulnerable systems," Tripwire recommends. "This step will limit problems that tend to arise during the lunch hour when employees start exploring the Web."

Virtualize and Segregate

"With 90% of undetected malware delivered by web browsing," says Maude, "this highlights why many organizations are now turning to sandboxing to provide an additional layer of security."

"In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet," says Chris Goettl, product manager with Shavlik, "you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session."

Tighten and Layer Defenses

Tripwire suggests "IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers."

Goettl recommends organizations watch out for both the IE versions and the XP embedded systems that went end-of-life yesterday, and sums up the entire process, soup to nuts:

Expect both outdated IE versions and XP embedded systems to become bigger targets for attackers. Remove outdated software versions and operating systems wherever possible. Lock down environments that need to keep running these systems. Layer defenses and segregate them from other parts of your network. Restrict access as much as possible, reduce privilege levels of any user logging onto these systems and allow only whitelisted applications to be installed. ... Moving off of the end of lifed platform is still the best option though.

“It’s a cruel reality, but in an age of continual cyberthreats, there are no excuses for not carrying out browser updates,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Whoopty
0%
100%
Whoopty,
User Rank: Ninja
1/14/2016 | 8:01:10 AM
Best practices
There's a lot of good points here - perhaps the most safety concious being sandboxing the entire machine if it's running ancient software. That said it's also worth considering best practices for the users to help avoid problems. Restricting browsing to specifc sites which are known to be safe is a simple and very effective step to take. 

Refusing to click any links or even checking messaging platforms which can trasfer information would also be a smart plan.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.