03:30 PM
Connect Directly

Top Survival Tips For IE End-Of-Life

If an immediate upgrade to the latest version is not an option for all your machines running Internet Explorer, here's how to mitigate your risk.

As of Tuesday, Microsoft will support only the most current version of the Internet Explorer (IE) browser available on any given client, server, or embedded operating system. In other words, a lot of systems are about to become less secure.

For example, any client machine running Windows 7 SP1 or later must be operating IE 11 if they still want security updates. Yet, according to December statistics from Net MarketShare, IE versions 6 through 10 still collectively account for 20.65 percent of the desktop browser market. 

"[End-of-life] software does not receive security updates and is easy to compromise," says Qualys CTO Wolfgang Kandek. "Attackers frequently target such systems for drive-by type of attacks as they are guaranteed to have no security fixes and successful exploitation is easy using public exploits."

Time to upgrade then, right? Not so fast.

"For most users, upgrading to the latest IE should be smooth and it’s a good move to retire old codebase," says Kandek. "But some organizations are using older IE versions because they have custom legacy web applications that break with newer browsers. For such organizations, the EOL move from Microsoft may feel like visiting the dentist after five years!"

So what can businesses that need to hold on to unsupported versions of IE do to reduce their risk?

Install Latest Patches

Yesterday, Microsoft issued its final patches for these end-of-life IE versions, and those patches fixed critical remote code execution vulnerabilities. While you're making your overdue migration plan, at least make sure to slap some spackle over the latest hole.

Reduce Privileges

James Maude, senior security engineer of Avecto says "our recent research into Microsoft’s Patch Tuesday security bulletins found that 99.5% of all vulnerabilities in Internet Explorer could be mitigated by removing admin rights alone."  

Tripwire recommends businesses "Ensure all users are running as standard users on Windows browsers, rather than as administrator-level users on their local systems. This will mitigate the risk of many common browser-based malware attacks."

Disconnect When Possible

"Businesses with application requirements for older Web browsers should block browsing from vulnerable systems," Tripwire recommends. "This step will limit problems that tend to arise during the lunch hour when employees start exploring the Web."

Virtualize and Segregate

"With 90% of undetected malware delivered by web browsing," says Maude, "this highlights why many organizations are now turning to sandboxing to provide an additional layer of security."

"In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet," says Chris Goettl, product manager with Shavlik, "you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session."

Tighten and Layer Defenses

Tripwire suggests "IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers."

Goettl recommends organizations watch out for both the IE versions and the XP embedded systems that went end-of-life yesterday, and sums up the entire process, soup to nuts:

Expect both outdated IE versions and XP embedded systems to become bigger targets for attackers. Remove outdated software versions and operating systems wherever possible. Lock down environments that need to keep running these systems. Layer defenses and segregate them from other parts of your network. Restrict access as much as possible, reduce privilege levels of any user logging onto these systems and allow only whitelisted applications to be installed. ... Moving off of the end of lifed platform is still the best option though.

“It’s a cruel reality, but in an age of continual cyberthreats, there are no excuses for not carrying out browser updates,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/14/2016 | 8:01:10 AM
Best practices
There's a lot of good points here - perhaps the most safety concious being sandboxing the entire machine if it's running ancient software. That said it's also worth considering best practices for the users to help avoid problems. Restricting browsing to specifc sites which are known to be safe is a simple and very effective step to take. 

Refusing to click any links or even checking messaging platforms which can trasfer information would also be a smart plan.
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
7 Non-Financial Data Types to Secure
Curtis Franklin Jr., Senior Editor at Dark Reading,  4/14/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.