Endpoint Security , Technology

Upgrade Now: Old Internet Explorer Loses Support

It's Microsoft's Way - IE11/Edge - or the Highway, Technology Giant Warns
Upgrade Now: Old Internet Explorer Loses Support

Breaking up is hard to do. But for anyone who's still using older versions of Internet Explorer or Windows XP Embedded SP3: It's time to move on.

See Also: Data Center Security Study - The Results

That's the message from Microsoft, which on Jan. 12 ceased support for not just the embedded operating system - although expensive "extended support" contracts are still available for two more years - as well as also older versions of its aging IE browser. "Only the most current version of Internet Explorer available for a supported operating system will receive technical supports and security updates," Microsoft says. "Internet Explorer 11 is the last version of Internet Explorer, and will continue to receive security updates, compatibility fixes, and technical support on Windows 7, Windows 8.1, and Windows 10."

How many people are at risk? It's tough to know exactly how many devices are still running Windows XP Embedded SP3 - or earlier. Originally released in 2002, it has been installed on numerous types of stand-alone systems - including ATMs, kiosks and point-of-sale devices - that many organizations do not update on a frequent basis.

Likewise, it's tough to know how many people now use a version of IE that is no longer getting patches. Related estimates vary anywhere from 100 million to 300 million.

But NetMarketShare, which tracks browser usage, estimates that as of December 2015, 47 percent of all browser users employ IE. It says more than half of all IE users were already on version 11, while 3 percent were using the newer Edge browser that began shipping with Windows 10. The second most-popular Microsoft browser, however, remains IE 8, which was released in 2009, followed by IE 9, which was released in 2011. Both are no longer getting patched, yet have known vulnerabilities.

The perils of continuing to use outdated IE is that it becomes a hack magnet for cybercriminals gunning for large amounts of PCs that they can quickly and easily exploit, using automated crimeware toolkits (see Nuke Old Java, FTC Tells Oracle). Such toolkits can be used to "weaponize" otherwise legitimate websites so they launch drive-by attacks that target known browser flaws. Some toolkits can also be used to generate malware that's designed to find and exploit known flaws on PCs.

Furthermore, cybercriminals who reverse-engineer Microsoft's latest batch of security fixes, released Jan. 12, will have new tricks for exploiting IE 10 and earlier. That's because Microsoft's security update patches a remote-code execution flaw in all versions of IE that's rated "critical," meaning that an attacker could remotely exploit it to take full control of a system.

Silverlight Stings

Another flaw to beware - also patched Jan. 12 - is a bug in the Web browser plug-in Silverlight, which would allow attackers to remotely exploit any Windows and Mac OS X systems on which it's installed. "In a web-browsing scenario, an attacker who successfully exploited this vulnerability could obtain the same permissions as the currently logged-on user," Microsoft says. "If a user is logged on with administrative user rights, an attacker could take complete control of the affected system."

The latest version - Silverlight 5.1.41212.0 - patches the flaw; use Microsoft's Silverlight page to see if the plug-in is installed on your system.

Silverlight, which was launched as a competitor to Flash, continues to be supported by IE, Mozilla Firefox and Apple Safari (see 2016 Resolution: Ditch Flash). Google, however, dropped support for Silverlight in April 2015, with version 42 of its browser.

Silverlight continues to be used by some SCADA systems running in industrial control system environments (see How to Block Ukraine-Style Hacker Attacks). Some streaming-media services, such as the U.K.'s Sky, as well as Netflix, also continue to support Silverlight. Netflix, however, did add the option of HTML 5 for Windows users beginning in December 2015.

Hacking Team Leak Legacy

The Silverlight flaw was discovered by Kaspersky Lab, which learned of the existence of the vulnerability - although no technical details - thanks to the hacker known as "Phineas Fisher," who hacked into Italian spyware vendor Hacking Team and in July 2015 released 400 GB of corporate data, including emails and code (see Hacking Team Dump: Windows Zero Day).

The leaked emails, Ars Technica reported, revealed that Hacking Team had bought a zero-day Flash exploit from a 33-year-old Russian who identified himself as Moscow-based Vitaliy Toropov, and who also offered to sell it the zero-day Silverlight exploit, which he said he'd crafted 2.5 years before (see Hacking Team Zero-Day Attack Hits Flash).


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network