With more of a whimper than a bang, Microsoft has followed up on its August 2014 promise to end support for older versions of Internet Explorer. As of today (January 12th, 2016), Microsoft will no longer offer support and security updates for several versions of Internet Explorer running on various versions of Windows.
Internet Explorer versions 8, 9, and 10 will no longer be supported on Windows 7, Windows 8.1 and Windows 10 desktop operating systems. This is presumably less of an issue for the latter two, as these operating systems shipped with Internet Explorer 11; it may, however, be problematic for web designers and others who managed to install an older version of Internet Explorer for development or testing purposes.
Only one supported Windows desktop operating system receives a reprieve from Microsoft's diktat: the much-disparaged Windows Vista. Since Internet Explorer 11 was never made available for it, Internet Explorer 9 remains the sole supported version of Internet Explorer for this operating system. Given Windows Vista's market share, this probably does not pose a major undertaking for IT departments, although it may for home users who still have not upgraded to newer versions of Windows.
Some of the Microsoft's server operating systems are not immune to this requirement, either: Internet Explorer 9 is required for Windows Server 2008 SP2, the server operating system that parallels Windows Vista. Windows Servers 2008 R2 and Windows Server 2012 R2 require Internet Explorer 11, as well. Windows Server 2012 (the non-R2 edition), which paralleled the release of Windows 8, never had Internet Explorer 11 released for it, so its solely-supported version of Internet Explorer is Internet Explorer 10.
If all of this seems a bit confusing, perhaps the following chart will make things clearer:
Operating System | Supported version of Internet Explorer (as of January 12th, 2016) |
---|---|
Windows Vista SP2 | Internet Explorer 9 |
Windows Server 2008 SP2 | Internet Explorer 9 |
Windows 7 SP1 | Internet Explorer 11 |
Windows Server 2008 R2 SP1 | Internet Explorer 11 |
Windows Server 2012 | Internet Explorer 10 |
Windows 8 | Microsoft recommends upgrading to Windows 8.1 |
Windows 8.1* | Internet Explorer 11 |
Windows Server 2012 R2* | Internet Explorer 11 |
Windows 10* | Internet Explorer 11 |
Windows Server 2016 Preview* | Internet Explorer 11 |
*Denotes operating system that shipped with Internet Explorer 11
Simplifying Browser Security
The reason for these changes is simple: reducing the number of computers running older versions of Internet Explorer, and getting as many computers as possible running the latest version of Internet Explorer available to them, greatly improves the security of the Windows ecosystem. It also slightly reduces the amount of engineering and quality assurance testing Microsoft needs to perform on Internet Explorer, allowing the company to devote additional resources to Microsoft Edge, its next-generation web browser for Windows 10, Windows Server 2016 and beyond. Designed from the ground up as a replacement for Internet Explorer, Edge is intentionally missing several of Internet Explorer's features which have been abused by malware authors over the years, such as Browser Help Objects (BHOs) and ActiveX controls.
With Internet Explorer's market share hovering at just over 11% (down from a high of 95% in 2003) this may seem like a lot of effort for little return. However, it is important to keep in mind that with over a billion computers running various versions of Windows, a single percentage point represents over 10 million computers. Also, it should be noted that many government, financial services and health care websites may recommend or even require that Internet Explorer be used, and using older versions of Internet Explorer could expose users to fraud and theft as vulnerabilities in unsupported versions are exploited by criminals and other malicious actors.
Of course, not even Microsoft is ready to replace Internet Explorer quite just yet. Visiting the Microsoft Update Catalog website in the Mozilla Firefox web browser returns the following error page, recommending the use of Internet Explorer 6 or later. Internet Explorer 6.0 was the web browser included with Microsoft Windows XP in 2001.
What do home users need to do?
If you are a home user and running Windows Vista or newer, your computer is probably running the latest version of Internet Explorer. Here's how to verify this, step-by-step:
- Click on the Start button and type "IEXPLORE.EXE" (without quotation marks) into the search bar and press Enter. Internet Explorer should then launch.
- From Internet Explorer's menu bar, select Help | About Internet Explorer (if you don't see a menu bar, press the Alt+H keys together, then select About Internet Explorer). The version number for Internet Explorer will be displayed in a popup window:
If the computer does not have the latest version of Internet Explorer installed for its version of Windows, try running Windows Update to perform a manual install of it. To launch Windows Update, type "WUAPP.EXE" (again, without quotation marks) into the search bar.
You may also want to install any other updates, patches or service packs that are available.
What do business users need to do?
For businesses, the situation may be more complex, especially if your company uses older, no-longer-supported line-of-business applications or websites relying on an older version of Internet Explorer. Hopefully, the IT department has rectified this. If not, Microsoft's ending of support for these older versions of Internet Explorer may just be what is needed to upgrade to more modern web tools, especially if in a regulated industry.
What if I can't upgrade just yet?
For home users or businesses who need to continue to use insecure and unsupported versions of Internet Explorer, here are ESET's recommendations for you:
- Patch and update all other applicable parts of the operating system, as well as applications commonly tied into the web browser, such as Adobe Flash and Oracle Java.
- Install a more modern, third-party web browser such as Google Chrome or Mozilla Firefox and make it the default web browser and corporate standard for all web access. Both web browsers come with auto-update mechanisms. Make sure these are enabled, or that you have a mechanism in place for deploying updates to the new browser.
- Limit the use of Internet Explorer only to the application(s) or website(s) requiring it. This can be enforced through the use of desktop firewall software. An example of how to do this with ESET Smart Security can be found here in our knowledgebase.
- Use anti-malware software that is capable of scanning web traffic (including SSL-encrypted and FTP traffic).
Internet Explorer and Beyond
It's been over 20 years since Internet Explorer was first released for Microsoft Windows 95, and Internet Explorer 11 marks the last release in that line. However, since Internet Explorer is included with Windows 10, and Windows 10 will be supported by Microsoft until 2025 (at least), this gives users of Windows and developers of we sites plenty of time to acclimate to its successor, Microsoft Edge, or to adopt a third-party web browser, such as Google Chrome or Mozilla Firefox.
I would like to thank my colleagues Bruce Burrell, Nick FitzGerald and David Harley for their contributions to this article.
Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher
Are you still using an outdated version of Internet Explorer past the January 12th cut-off for support, or have you switched to an alternate web browser? Let us know your reasons, below!