Microsoft buried Internet Explorer. But not completely — again | Kaspersky official blog
Credit to Author: Alanna Titterington| Date: Fri, 05 May 2023 10:57:32 +0000
Not so long ago, the IT-security media space was once again full of cheery reports that Microsoft was finally burying Internet Explorer (IE). Let’s recap the long story of how the once most-popular browser in the world was gradually disconnected from its life-support systems, and investigate whether it’s finally time to rejoice (spoiler: it isn’t).
Internet Explorer: life and death chronicles
We remind those who didn’t witness (or have forgotten) the 2000s that, back then, Internet Explorer ruled the web, with a browser market share of more than 90%. It’s hard to believe it now, but Explorer was even more dominant than the current champion, Google Chrome, is now.
However, since the introduction of Chrome in 2008, Explorer’s popularity has been steadily falling away. We can consider 2012 as the end of the Explorer era, when Chrome finally overtook it. That said, Microsoft’s first official acknowledgment of this fact came only in 2015.
Back then, along with unveiling Windows 10, the company announced it was closing down Internet Explorer’s development and introducing Edge as the default browser for Windows, signifying the first phase of IE’s decommissioning. The original version of Edge was powered by Microsoft’s own EdgeHTML engine, a modification of the MSHTML (also known as Trident), on which Internet Explorer was based.
Of course, Edge featured an IE compatibility mode. However, Explorer, in its eleventh and final version, was still integrated into the operating system. So began the dual-browser period, when both Edge and Explorer were preinstalled in Windows, which (another spoiler) continues to this day.
Three years later, in December 2018, came phase two: Microsoft abandoned further attempts to develop its own engine and unveiled an all-new version of Edge, this time based on Chromium. This browser, too, had an IE compatibility mode. And Explorer was still left in the system.
In 2021, Microsoft released its new Windows 11. It was now no longer possible to boot up and use Explorer as a standalone browser — theoretically at least. However, Edge still retained its IE compatibility mode. And Explorer itself was still present in the system, so, after a spot of tinkering, it was still possible to run it.
A couple of years after that, just recently in February 2023, news broke that Microsoft had finally finished off Explorer in its latest update. A coup de grace, ending this cruel agony. But, upon closer inspection, it turns out that the old dog is still breathing!…
Disable doesn’t mean delete
The first thing to realize about the Windows update is that it doesn’t expunge Explorer from the operating system; it disables it. In practice, this means that Explorer can no longer be launched as a standalone browser (this time for sure). However, Edge, formally the only browser in Windows, still has an IE-compatible mode. This means that Explorer is still alive — if not quite kicking: it’s there just to ensure the operation of this mode.
Now if you try to open Explorer, Edge will run instead. And in it, if you really want to, you can select IE compatibility mode. Consequently, Explorer will continue to inhabit Windows until Microsoft finally decides to bury IE compatibility mode.
The patch to disable IE doesn’t work on all systems
Even the disabling of Explorer wasn’t absolute. There’s a whole raft of operating systems excluded from getting the update that turns IE off. Microsoft has kindly published a list of these exclusions:
- Windows 8.1
- Windows 7 Extended Security Updates (ESU)
- Windows Server Semi-Annual Channel (SAC), all versions
- Windows 10 IoT Long-Term Servicing Channel (LTSC), all versions
- Windows Server LTSC, all versions
- Windows 10 client LTSC, all versions
- Windows 10 China Government Edition
In other words, users of these operating systems haven’t received even above mentioned changes. They will still be able to run Internet Explorer as a standalone browser.
What’s the problem anyway?
The problem is that along with the hopelessly obsolete browser all its vulnerabilities (plus yet-undiscovered ones) will remain in the system. The only real difference between “before” and “after” IE disabling is that it might become a bit harder to exploit this vulnerable browser in certain types of attacks.
As a vivid illustration of what can go wrong, we can recall the vulnerability CVE-2021-40444. It was discovered in the MSHTML engine of Internet Explorer in 2021. What’s more, at the time of discovery, the vulnerability was already being exploited in attacks on Microsoft Office users. The attackers complemented Office documents with a malicious ActiveX element, which allowed remote code execution after the user opened the trojanized file.
Why doesn’t Microsoft just bury Explorer for good? The issue is that this browser was for too long the only viable option for many companies, during which time it managed to spread deep roots in their infrastructure. Some of those companies are still unable to part with the legacy of this dark past. So, for the sake of compatibility (a sacred cow for Microsoft), the half-dead browser has been dragged from OS to OS for over a decade now.
How to stay protected
By the looks of it, we’ll likely be waiting at least a few more years before Internet Explorer is finally put out of its misery completely. Therefore, unless you want to wait for MS to finally kill off IE once and for all, (which we strongly advise against), it’s better to administer the last rites yourself:
- If your company is still using technologies tied to Internet Explorer, try to phase them out and switch to modern ones. Seriously, this should have been done 10 years ago.
- Then, when you no longer need IE compatibility, it’s wise to disable the browser on all operating systems you use. For the above-listed operating systems, this will have to be done manually — the Microsoft website has a comprehensible list of instructions on how to do this. For all other systems, make sure the relevant Microsoft patch is installed.
- According to Microsoft advice, you should continue to install security updates that apply to Internet Explorer even after you disable it, as applicable, because some components of the browser remain on the system.
- And, of course, use reliable protection on all devices in your company.