Last week, Microsoft ended support for older versions of Internet Explorer (versions 8, 9, and 10). This was done as part of the January 2016 Patch Tuesday cycle; at the same time support for Windows 8 also ended. This means that Microsoft will stop updating old versions of the browser and from now on (with some small exceptions) only systems with the latest IE version (Internet Explorer 11) will receive updates and patches. This poses risks to both end users and enterprises that fail to upgrade to new browser versions.
Because there will no longer be any patches for older IE versions, any security bug reported in these browsers will not be fixed, leaving these systems vulnerable to newly-discovered threats. If a new zero-day exploit targeting these old IE versions emerges, systems would be infected in the absence of a patch. This may increase the potential attack surface as the “patch gap” will widen with every month. IE has long been a target of exploit kits; one of the recent cases targeted vulnerabilities found in the Hacking Team leak.
A significant number of users are still at risk. December 2015 browser usage data from Net Market Share indicates that nearly 20% of users are still on older versions of IE:
Figure 1. December 2015 browser usage statistics
Upgrading to the latest version is still the recommended way of fixing this issue. Upgrading to the newest versions of these browsers not only offers increased security due to new features introduced in later versions, but it also offers better usability features, as well as closer compliance to web standards. However, some enterprises may need more time as they need to test for and fix browser compatibility issues in IE-dependent internal applications. Microsoft’s EMET should be a useful tool for these enterprises in particular.
In addition to the above solutions, Trend Micro Deep Security and Vulnerability Protection products continue to provide protection for operating systems (such as Windows XP and Windows 2003 Server) and applications (like Java and Apache Tomcat) that have reached their end-of-life. Some of our earlier materials on this topic include:
Deep Security and Vulnerability Protection provides multiple layers of protection for end of life products. These have intrusion prevention and detection (IDS/IPS) modules that provide virtual patches for vulnerabilities in the unsupported browsers, thus mitigating any potential risks such as system infection or worse, data theft. The application scanning of these products can detect vulnerabilities present in apps while the anti-malware feature can detect malicious files that use vulnerabilities as part of its infection chain.