Time flies. It seems like just yesterday we heard that Microsoft would stop supporting older versions of Internet Explorer. But it was over a year ago that it announced that support would end for all IE browser versions older than version 11. And the deadline is now upon us all: Jan. 16, 2016.
The main impact of this to security professionals is that Microsoft will stop providing security updates and technical support for all earlier versions of IE. (Microsoft describes this policy on an FAQ page.) This means that vulnerabilities will start accumulating in those older browsers, without fixes, so they will become increasingly dangerous to use as the months pass. By next March, I expect there to be several unfixable vulnerabilities with active exploits in the wild that will lead users of those older IE versions to certain compromise. So clearly, those versions no longer have a place in any professional organization.
This causes my company two pain points: the browsers our employees use, and the versions supported by our corporate website. As part of our browser conversion effort, we have been testing IE11 extensively, and have found that many things will break when we stop supporting older browsers.
For example, there are many commercial websites my company’s employees need to use for various business purposes that only support IE9. Those other companies have not yet updated their websites to work with IE11, and their general position has been that we should continue to use IE9 to access their services. I don’t have much influence over those service providers. Some of them are quite large, well-known companies that are influential enough to make their own rules, and they really don’t care about my situation at all.
Our company’s website was also designed with custom code tailored to older browser versions that were current at the time the content was developed, a few years ago. In retrospect, that doesn’t seem like a very good idea. The website developers should have either used a standard set of code that worked universally among all browsers, or put in place an ongoing process to keep revising code to be compatible with new browser versions. But nobody seems to have thought of that, so we are in much the same situation as those service providers — our move to support IE11 is dependent on upgrading our commercial Web services.
So we have two projects that are currently racing the clock: upgrading our browsers, and updating our own website. And it’s turning out that updating our website is the easier of the two. You might think that upgrading our end-user systems would be less work than hiring a team of programmers to change our website content, but that’s not true. We expect to have our website IE11-ready in a couple of weeks, so our customers will be able to get full functionality on the latest browser version. But in order to be ready for Microsoft’s deadline, we will need to run two browser versions on many of our desktop computers.
For business-specific browsing to third-party services that only support IE9, we have created a “locked-down” version of IE9. It runs in a virtual container that has those business sites whitelisted through Active Directory Group Policy, so it can only be used to go to those sites. This is a bit of a pain for our employees, because they have to keep track and remember to use the right browser in the right situation, instead of just using one browser as they’re used to. But that’s the best we can do for now.
For general Web browsing to sites that support the latest browsers, we have provided IE11 on everybody’s desktop. We will continue patching that version until support ends in 2020, which seems a long way away — but I’m sure that deadline will creep up on us just like this one did.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
Click here for more security articles.