Internet Explorer is now retired, but is still a target for attackers

Microsoft’s official retirement of the Internet Explorer 11 desktop app on June 15 made history for the nearly 27-year-old browser. However, IE is likely to provide a juicy target for attackers.

This is because some organizations still use Internet Explorer (IE) despite Microsoft’s long-known plans to make the technology obsolete. Meanwhile, Microsoft has kept the MSHTML (aka Trident) IE browser engine as part of Windows 11 until 2029, allowing organizations to run in IE mode while they switch to the Microsoft Edge browser. In other words, IE isn’t dead yet, and neither are threats.

Although IE has a small share of the worldwide browser market (0.52%), many enterprises still run it or have legacy applications tied to IE. This appears to be the case in countries such as Japan and Korea. Stories in Nikkei Asia and: Japan Times A Keyman’s Net survey was cited this week as showing that nearly 49% of 350 Japanese companies surveyed still use IE. Another report from South Korea’s MBN points out several large organizations still works in IE.

“Internet Explorer has been around for more than 20 years, and many companies have invested in using it for more than just web browsing,” said Todd Schell, senior product manager at Ivanti. There are still enterprise programs closely tied to IE that often run older, custom scripts on their website or have applications that may require older scripts. “For example, companies can create extensive scripts that generate and then display reports in IE. They haven’t invested in updating them to use HTML 5 for Edge or other modern browsers.”

Such organizations face security issues with any other software technology that is no longer supported. Running IE 11 as a standalone application past its support date means that previously unknown, or worse, known but unpatched vulnerabilities could be exploited in the future, Schell said.

“This is true for any application or operating system, but historically it’s been a bigger problem for browsers, which are so widely used,” Schell says. It’s hard to say how many organizations around the world are currently stuck using technology that is no longer supported because they didn’t migrate sooner. But judging by the fact that Microsoft will continue to support compatibility mode in Edge until 2029, IE will likely continue to be widely used, he notes.

Any organization that hasn’t already should prioritize moving away from IE because of the security implications, said Claire Tills, senior research engineer at Tenable. “The end of support means that new vulnerabilities will not receive security patches unless they meet a certain critical threshold, and even in those rare cases, those updates will only be available to customers who have paid for Enhanced Security Updates,” he said. says.

There are still many errors

Microsoft Edge has now officially replaced the Internet Explorer 11 desktop app in Windows 10. But the fact that the MSHTML engine will run as part of the Windows operating system until 2029 means that organizations are at risk of browser engine vulnerabilities even if they exist. no longer using IE.

According to Maddy Stone, a security researcher with Google’s Project Zero bug-hunting team, IE has had its fair share of zero-day bugs in recent years, even as its use has been reduced. Last year, for example, the Project Zero team Followed by four zero days on IE — the most since 2016, when the browser had as many zero days. Last year, three out of four zero vulnerabilities (CVE-2021-26411, CVE-2021-33742and: CVE-2021-40444) targeted MSHTML and were exploited through methods other than the Web, Stone said.

“It’s not clear to me how Microsoft can block or not block access to MSHTML in the future,” Stone said. “But if access remains as it is now, it means that attackers can exploit the MSHTML vulnerability via routes such as Office documents and other file types, as we saw last year,” he says. Stone says the number of zero-day exploits found in wildly targeting IE components has been fairly consistent between 2015 and 2021, suggesting the browser remains a popular target for attackers.

Tenable’s Tills notes that one of the most widely exploited vulnerabilities in Microsoft products in 2021 was actually CVE-2021-40444, a remote code execution zero-day in MSHTML. The vulnerability has been widely exploited in phishing attacks by everything from ransomware-as-a-service operators to advanced persistent threat groups.

“Given that Microsoft will continue to support MSHTML, organizations should examine mitigations for vulnerabilities like CVE-2021-40444 and decide which ones they can adopt long-term to reduce the risk of future vulnerabilities,” Tills notes.

Common mitigations

Microsoft was not available as of this writing to comment on the potential risk to organizations from attacks targeting MSHTML. But Ivanti’s Schell says it’s reasonable to assume Microsoft has put in proper security and sandboxing around MSHTML when running in IE compatibility mode. He says that Microsoft can monitor and provide any necessary updates to MSHTML because it is a supported product and feature. The best mitigation, as always, is for organizations to update their software, OS and browsers and ensure their anti-virus and anti-malware detection mechanisms are also up-to-date.

“MSHTML is now just one of the many libraries we have in Windows 11,” said Johannes Ulrich, Dean of Research at the SANS Institute. “Of course, it’s complex and still has a significant but somewhat reduced attack surface,” he notes. So the best mitigation for organizations is to patch Windows when updates are available, he says.

“IE is still common enough to be a worthwhile target for attackers,” adds Ulrich.

However, the continued number of zero days found in IE does not mean that attackers have suddenly increased their interest in attacking them. “It may have been easier to find vulnerabilities in the older IE codebase with newer tools,” says Ulrich.