As of Tuesday, Microsoft will support only the most current version of the Internet Explorer (IE) browser available on any given client, server, or embedded operating system. In other words, a lot of systems are about to become less secure.
For example, any client machine running Windows 7 SP1 or later must be operating IE 11 if they still want security updates. Yet, according to December statistics from Net MarketShare, IE versions 6 through 10 still collectively account for 20.65 percent of the desktop browser market.
"[End-of-life] software does not receive security updates and is easy to compromise," says Qualys CTO Wolfgang Kandek. "Attackers frequently target such systems for drive-by type of attacks as they are guaranteed to have no security fixes and successful exploitation is easy using public exploits."
Time to upgrade then, right? Not so fast.
"For most users, upgrading to the latest IE should be smooth and it’s a good move to retire old codebase," says Kandek. "But some organizations are using older IE versions because they have custom legacy web applications that break with newer browsers. For such organizations, the EOL move from Microsoft may feel like visiting the dentist after five years!"
So what can businesses that need to hold on to unsupported versions of IE do to reduce their risk?
Install Latest Patches
Yesterday, Microsoft issued its final patches for these end-of-life IE versions, and those patches fixed critical remote code execution vulnerabilities. While you're making your overdue migration plan, at least make sure to slap some spackle over the latest hole.
James Maude, senior security engineer of Avecto says "our recent research into Microsoft’s Patch Tuesday security bulletins found that 99.5% of all vulnerabilities in Internet Explorer could be mitigated by removing admin rights alone."
Tripwire recommends businesses "Ensure all users are running as standard users on Windows browsers, rather than as administrator-level users on their local systems. This will mitigate the risk of many common browser-based malware attacks."
Disconnect When Possible
"Businesses with application requirements for older Web browsers should block browsing from vulnerable systems," Tripwire recommends. "This step will limit problems that tend to arise during the lunch hour when employees start exploring the Web."
Virtualize and Segregate
"With 90% of undetected malware delivered by web browsing," says Maude, "this highlights why many organizations are now turning to sandboxing to provide an additional layer of security."
"In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet," says Chris Goettl, product manager with Shavlik, "you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session."
Tighten and Layer Defenses
Tripwire suggests "IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers."
Goettl recommends organizations watch out for both the IE versions and the XP embedded systems that went end-of-life yesterday, and sums up the entire process, soup to nuts:
Expect both outdated IE versions and XP embedded systems to become bigger targets for attackers. Remove outdated software versions and operating systems wherever possible. Lock down environments that need to keep running these systems. Layer defenses and segregate them from other parts of your network. Restrict access as much as possible, reduce privilege levels of any user logging onto these systems and allow only whitelisted applications to be installed. ... Moving off of the end of lifed platform is still the best option though.
“It’s a cruel reality, but in an age of continual cyberthreats, there are no excuses for not carrying out browser updates,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”