Microsoft brings Internet Explorer's security into the 21st century

Filed Under: Apple Safari, Featured, Firefox, Google Chrome, Internet Explorer, Java, Microsoft, Security threats, Vulnerability, Web Browsers

Internet ExplorerInternet Explorer (IE) will finally catch up with rival browsers next week when it begins blocking out-of-date ActiveX controls.

In a move described by Microsoft as being specifically about ActiveX, the new blocklist contains but one offender – Oracle's Java ActiveX control.

Fred Pullen, IE's product manager, and Jasika Bawa, security program manager, said that Microsoft will maintain the blocklist and add to it as other vulnerabilities are released or discovered.

The approach taken to Java is unsurprising really as older versions of the plugin have often been used as an attack vector. In fact, Microsoft's own security research estimates that between 84.6 and 98.5 percent of all web-based exploits in 2013 took advantage of Java vulnerabilities. Therefore blocking out-of-date Java plugins has the potential to go a long way towards securing end-user systems.

The upcoming block will not be an immovable barrier though – Internet Explorer will give the user the ability to override it on a one-off basis. Additionally, it will not apply to the Local Intranet Zone and Trusted Sites Zone, which will allow business customers to maintain compatibility via the continuing use of obsolete plugins where no viable alternative exists, whilst protecting them from web-based threats.

The only downside to this good news is that the out-of-date ActiveX blocking feature will only work with the company's most recent versions of its operating system. Only users of Windows 7 SP1 or Windows 8 will get it, and even then they will need to be running Internet Explorer 8 or later.
With that in mind, Internet Explorer users should also note that Microsoft will be ceasing support for older versions of its browser.

Historically, Microsoft has released each new version of its operating system with five years of mainstream support, backed up with a further five years of extended support. That means Windows, and all of the software that comes bundled with it, benefit from a total of ten years' service (or eleven in the case of Windows XP anti-malware support.

This level of dedication towards supporting older products may explain why so many home and business users have stuck with older versions of Windows for so long.

Now, however, Microsoft is keen to push users onto more up-to-date versions of its software. So unless you have a spare £5.5m down the back of your sofa, you should really consider upgrading to a current operating system before support for older versions of IE ends on January 12, 2016.

From that time, only the following browser and operating system combinations will be supported:

  • Vista SP2 and Windows 2008 SP with Internet Explorer 9
  • Windows Server with Internet Explorer 10
  • Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2 with Internet Explorer 11

Roger Capriotti, IE's director, said:

For customers not yet running the latest browser available for your operating system, we encourage you to upgrade and stay up-to-date for a faster, more secure browsing experience.

IE. Image courtesy of ShutterstockAs close to 60% of web users still reportedly use IE, Microsoft's plan to bring everyone onto modern versions of its browser are welcome, if a little late.

Its main competitors - Chrome and Firefox – enjoy a far higher rate of new version adoption of their browsers whilst the majority of Internet Explorer users are still stuck on version 8, which probably explains why Microsoft chose that version as the cut-off for ActiveX controls.

Even though IE users appear to somewhat slower in adopting newer, more secure versions of their browser, either due to a lack of knowledge, motivation to install latest versions, or simply because Microsoft were not pushing them with a big enough stick, it does not mean that users of competing browsers can rest easy.

The PWN2OWN competition that ran back in March this year certainly showed that Internet Explorer was susceptible to attack, but Firefox fared worse and Chrome and Safari were far from immune either.

Ironically, the only PWN2OWN "winner" was Oracle's Java plugin that wasn't exploited at all, leading Chester Wisniewski to wonder if we should banish our browser woes by downloading the HotJava browser.

Image of Internet Explorer courtesy of Shutterstock.

You might like

8 Responses to Microsoft brings Internet Explorer's security into the 21st century

  1. ricead · 235 days ago

    It's a great move but IE is still the least secure browser due to it's larger attack surface in a native install and being embedded in the OS meaning a compromise of the browser is a potential compromise of the OS as well.

  2. Haemish Edgerton · 235 days ago

    "Only users of Windows 7 SP1 or Windows 8 will get it, and even then they will need to be running Internet Explorer 8 or later."

    Ummm... Windows 7 comes with IE8 to begin with, so it's automatic full support for Windows 7 or later, regardless. :)

    • Anonymous · 235 days ago

      I think Microsoft disallows installation of any IE version earlier than 8 on Windows 7, even if you try.

  3. Dear Lee, thank you for this great info to keep us more secure on the internet.

    Never Give Up
    Joan Y. Edwards

  4. hotdoge3 · 233 days ago

    Microsoft brings Internet Explorer's security into the 21st century

    why it take so long.?

  5. Nan · 232 days ago

    I had version 11...had to go back to 10 to make Yahoo mail work (well, better)..any ideas to make them more,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.