After many years Microsoft’s decline and final hiatus over the past 13 months, on Wednesday confirmed the retirement of Internet Explorer, the company’s long-standing and increasingly infamous web browser. Introduced in 1995, IE has been preinstalled on Windows computers for nearly 20 years, and like Windows XP, Internet Explorer has become mainstream — so much so that when users need to upgrade and move on, they often don’t. While last week’s milestone will see more users abandon the time-honored browser, security researchers stress that IE and its many security flaws are far from gone.
Over the next few months, Microsoft will disable the IE app on Windows 10 devices, directing users to its next-generation Edge browser, which was first released in 2015. However, the IE icon will still remain on the user’s desktop, and Edge includes a service called “IE Mode” to preserve access to legacy websites built for Internet Explorer. Microsoft says it will support IE mode until at least 2029. Additionally, IE currently still runs on all supported versions of Windows 8.1, Windows 7 with Microsoft’s Extended Security Updates, and Windows Server, although the company says it will eventually phase out IE on these, too.
Seven years after Edge’s debut, industry analysis suggests that Internet Explorer could still capture more than 0.5% of the total global browser market share. In the U.S., it could be closer to 2 percent.
Ronnie Tokazowski said: “I do think we’ve made progress and we may not see as many exploits for IE in the future, but we’ll still have Internet Explorer remnants exploited by crooks for a long time to come. , longtime independent malware researcher. “Internet Explorer as a browser will go away, but parts of it still exist.”
For something as old as IE, it’s hard to balance backwards compatibility with the desire for a whiteboard. “We haven’t forgotten that parts of the web still rely on Internet Explorer’s specific behaviors and features,” Microsoft Edge Enterprise general manager Sean Lyndersay wrote in Wednesday’s IE review, referring to IE mode.
But he added that it does need to start over with Edge rather than trying to save IE. “The web has evolved, and so have browsers,” he wrote last week. “The incremental improvements in Internet Explorer can’t be compared to the overall improvements across the web, so we’re starting over.”
Microsoft said it would still support IE’s underlying browser engine, known as “MSHTML,” with an eye toward a version of Windows that was still “used in critical environments.” But Maddie Stone, a researcher with Google’s Project Zero vulnerability search team, pointed out that hackers are still using IE vulnerabilities for real-world attacks.
“Internet Explorer’s 0-days per year have been pretty steady since we started tracking 0-days in the wild. 2021 actually tied 2016 for the craziest Internet Explorer 0-days we’ve tracked, even though Internet Explorer has 0 days among web browser users market share continues to decline,” she wrote in April, referring to a previously unknown vulnerability known as zero-day. “Even if users don’t use Internet Explorer as their Internet browser, Internet Explorer is still a mature attack surface for initial entry into Windows machines.”
In her analysis, Stone specifically noted that while the number of new IE exploits detected by Project Zero has remained fairly steady, over the years attackers have turned to increasingly targeting via malicious files such as tainted Office documents MSHTML browser engine. This may mean that neutering IE applications will not immediately change the trend of attacks that have already occurred.
Given the difficulty of controlling Internet Explorer, Microsoft and IE users around the world must have come a long way. But for a browser that should be dead, IE is still full of life.