After years of decline and a final completion over the past 13 months, Microsoft on Wednesday confirmed the withdrawal of Internet Explorer, the company’s long-running and increasingly popular web browser. Launched in 1995, IE has been pre-installed on Windows computers for almost two decades, and like Windows XP, Internet Explorer has become a mainstay – to the point that when it comes time for users to upgrade and move on, they often they didn’t. And while last week’s milestone will repel even more users from the historic browser, security researchers point out that IE and its many security vulnerabilities are far from gone.
In the coming months, Microsoft will disable the IE app on Windows 10 devices, instead directing users to its next-generation Edge browser, first launched in 2015. The IE icon will still remain on users’ desktops, and Edge includes a service called “IE mode” to keep access to old websites created for Internet Explorer. Microsoft says it will support IE mode at least until 2029. In addition, IE will continue to run on all supported versions of Windows 8.1, Windows 7 with advanced security updates from Microsoft and Windows Server, although the company says will eventually remove IE in these too.
Seven years after Edge’s debut, industry analysis shows that Internet Explorer can still hold more than half a percent of the browser’s total global market share. And in the United States, that share could be closer to 2 percent.
“I think we’ve made progress and we probably won’t see as many exploits against IE in the future, but we’ll still have remnants of Internet Explorer for a long time that fraudsters can take advantage of,” said Roni Tokazovski. , a longtime independent malware researcher and key threat advisor at cybersecurity firm Cofense. “Internet Explorer as a browser will disappear, but there are still pieces that exist.”
For something that lasts as long as IE, backward compatibility is hard to balance with the desire for a clean slate. “We have not forgotten that some parts of the network still rely on the specific behavior and features of Internet Explorer,” said Sean Lindersey, general manager of Microsoft Edge Enterprise. wrote in retrospect of IE on Wednesday, pointing out the IE mode.
But he added that there is a real need to start over with Edge, instead of trying to save IE. “The web has evolved, as have browsers,” he wrote last week. “The gradual improvements to Internet Explorer could not match the overall improvements on the web as a whole, so we started fresh.”
Microsoft says it will still support IE’s main browser, known as “MSHTML,” and has a look at versions of Windows that are still “used in critical environments.” But Maddie Stone, a researcher on Google’s Project Zero vulnerability research team, points out that hackers still exploit IE vulnerabilities in real-world attacks.
“Ever since we started tracking 0-days in the wild, Internet Explorer has had a fairly constant number of 0-days each year. 2021 is actually associated with 2016 for the wildest days of Internet Explorer 0 that we have ever tracked, although the market share of Internet Explorer for web browser users continues to decline, “she said. wrote in April, citing hitherto unknown vulnerabilities called Zero Days. “Internet Explorer is still a mature attack surface for initial logon to Windows machines, even if the user does not use Internet Explorer as their Internet browser.”
In his analysis, Stone specifically noted that while the number of new IE vulnerabilities discovered by Project Zero remains relatively constant, over the years, attackers have increasingly targeted the MSHTML browser through malicious files such as tainted Office documents. This may mean that castrating the IE application will not immediately change the trends in attacks that are already on the move.
Given how difficult it was to master Internet Explorer at all, Microsoft and IE users around the world have certainly come a long way. But for a browser that’s supposed to be dead, IE is still heavily loaded with survivors.