End of Life for Internet Explorer 8, 9 and 10

Microsoft has started the year with an announcement that, effective Jan. 12, 2016, support for all older versions of Internet Explorer (IE) will come to an end (known as an EoL, or End of Life). The affected versions are Internet Explorer 7, 8, 9, and 10.

What this means for users is that Microsoft will no longer release new security updates for these product versions going forward. This gives users two options: Internet Explorer 11 and Microsoft Edge, the latter of which is currently exclusive to Windows 10. If users would like to keep their browsers up to date, they will need to upgrade to either of these two options.

It should go without saying that Internet Explorer users are strongly encouraged to update to the latest version. It offers improved security with the latest security features and mitigations. Two notable mitigations introduced to the browser in 2014 are Isolated Heap and Memory Protect, which were implemented on Patch Tuesday of June and July 2014 respectively. Prior to that, Microsoft made a similar announcement about the Windows XP Operating System, wherein they issued an End of Life for XP in April 2014.

These are all steps in right direction for the Microsoft teams because it allows for the consolidation of team efforts, resulting in a stronger focus on securing fewer versions across a smaller code base. Microsoft continues to silently enhance protections as the months go by while at the same time trimming code.

Figure 1 shows the vulnerability counts for Internet Explorer versions in 2015.

Figure 1. Internet Explorer vulnerability count for 2015 [1]

The graph above shows the total number of reported vulnerabilities affecting each version of Internet Explorer across the months of 2015. Keeping in mind that these are non-unique counts, we can observe that, for the most part, the majority of the reported vulnerabilities affected Internet Explorer 11.

Figure 2 shows the most notable in the wild (ITW) attacks exploiting Internet Explorer in 2014 and 2015.

Year

CVE

Affects

2014

CVE-2014-0322

IE 9 and 10

2014

CVE-2014-1776

IE 6 to 11

2015

CVE-2015-2419

IE 10 and 11

2015

CVE-2015-2502

IE 7 to 11

Figure 2. ITW attacks of Internet Explorer [1]

The majority of the attacks found ITW in 2014 and 2015 affected IE 11.

Figure 3 compares the count of vulnerabilities that affect Internet Explorer 11 (IE 11) to the ones that don’t.

Figure 3. IE11 vs. Non-IE11 vulnerability count [1]

Based on the information found in Figures 1, 2, and 3, most of the vulnerabilities reported in 2015 affected Internet Explorer 11. This shows that attackers, as well as researchers, are focusing considerably on Internet Explorer 11. Microsoft’s most recent move will allow the company to do the same.

It should be noted that, as of Internet Explorer 11, some features are no longer supported or are considered deprecated. These include, but are not limited to, VML and VBScript, which have been used to exploit and compromise the integrity of Internet Explorer, or leveraged to bypass ASLR/DEP in the past. This is a strong move in the right direction, as trimming the code base leads to shrinking the attack surface. This helps secure products such as Internet Explorer.

It is also worth noting that at this point no ITW attacks have been observed against Microsoft Edge, the new web browser that currently ships exclusively with Windows 10. Microsoft Edge also follows the same approach of removing unnecessary features such as ActiveX and Browser Helper Objects, as well as others.

In conclusion, after Jan. 12, 2016, older Internet Explorer users will be exposed to vulnerabilities that may be exploited by malware and targeted by Exploit Kits. The best way to defend against this is to keep your browser up to date by upgrading to Internet Explorer 11 or using Microsoft Edge.

[1] Microsoft Security Bulletins: https://technet.microsoft.com/en-us/library/security/dn610807.aspx