Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/13/2016
03:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Top Survival Tips For IE End-Of-Life

If an immediate upgrade to the latest version is not an option for all your machines running Internet Explorer, here's how to mitigate your risk.

As of Tuesday, Microsoft will support only the most current version of the Internet Explorer (IE) browser available on any given client, server, or embedded operating system. In other words, a lot of systems are about to become less secure.

For example, any client machine running Windows 7 SP1 or later must be operating IE 11 if they still want security updates. Yet, according to December statistics from Net MarketShare, IE versions 6 through 10 still collectively account for 20.65 percent of the desktop browser market. 

"[End-of-life] software does not receive security updates and is easy to compromise," says Qualys CTO Wolfgang Kandek. "Attackers frequently target such systems for drive-by type of attacks as they are guaranteed to have no security fixes and successful exploitation is easy using public exploits."

Time to upgrade then, right? Not so fast.

"For most users, upgrading to the latest IE should be smooth and it’s a good move to retire old codebase," says Kandek. "But some organizations are using older IE versions because they have custom legacy web applications that break with newer browsers. For such organizations, the EOL move from Microsoft may feel like visiting the dentist after five years!"

So what can businesses that need to hold on to unsupported versions of IE do to reduce their risk?

Install Latest Patches

Yesterday, Microsoft issued its final patches for these end-of-life IE versions, and those patches fixed critical remote code execution vulnerabilities. While you're making your overdue migration plan, at least make sure to slap some spackle over the latest hole.

Reduce Privileges

James Maude, senior security engineer of Avecto says "our recent research into Microsoft’s Patch Tuesday security bulletins found that 99.5% of all vulnerabilities in Internet Explorer could be mitigated by removing admin rights alone."  

Tripwire recommends businesses "Ensure all users are running as standard users on Windows browsers, rather than as administrator-level users on their local systems. This will mitigate the risk of many common browser-based malware attacks."

Disconnect When Possible

"Businesses with application requirements for older Web browsers should block browsing from vulnerable systems," Tripwire recommends. "This step will limit problems that tend to arise during the lunch hour when employees start exploring the Web."

Virtualize and Segregate

"With 90% of undetected malware delivered by web browsing," says Maude, "this highlights why many organizations are now turning to sandboxing to provide an additional layer of security."

"In extreme cases where you need to run an outdated version of IE on a system that requires access to the Internet," says Chris Goettl, product manager with Shavlik, "you should look to invest in additional protective measures, such as Bufferzone. This would containerize the browsing experience and protect the system to return it to a good state if anything untoward were to occur during that session."

Tighten and Layer Defenses

Tripwire suggests "IT departments should consider deploying network protection rules to drop HTTP requests based on vulnerable user-agent strings. It may be possible for advanced users to change the user-agent string in an attempt to bypass these restrictions, but this step will reduce the attack surface of older browsers."

Goettl recommends organizations watch out for both the IE versions and the XP embedded systems that went end-of-life yesterday, and sums up the entire process, soup to nuts:

Expect both outdated IE versions and XP embedded systems to become bigger targets for attackers. Remove outdated software versions and operating systems wherever possible. Lock down environments that need to keep running these systems. Layer defenses and segregate them from other parts of your network. Restrict access as much as possible, reduce privilege levels of any user logging onto these systems and allow only whitelisted applications to be installed. ... Moving off of the end of lifed platform is still the best option though.

“It’s a cruel reality, but in an age of continual cyberthreats, there are no excuses for not carrying out browser updates,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “Microsoft has advised people to upgrade for a long time now, so it is likely that many app developers have at least started updating their apps to work with IE 11. For applications that aren’t ready in time, IE 11 offers a ‘compatibility mode,’ which should provide an interim solution until those applications are modernized. If you don’t have a transition plan in place yet, now is the time to put one in place – the longer older versions of IE are unsupported, the more attackers will target them.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Whoopty
0%
100%
Whoopty,
User Rank: Ninja
1/14/2016 | 8:01:10 AM
Best practices
There's a lot of good points here - perhaps the most safety concious being sandboxing the entire machine if it's running ancient software. That said it's also worth considering best practices for the users to help avoid problems. Restricting browsing to specifc sites which are known to be safe is a simple and very effective step to take. 

Refusing to click any links or even checking messaging platforms which can trasfer information would also be a smart plan.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .