Lucene search

threatpostTom SpringTHREATPOST:B94C72282597270B568FB72191A99385
HistoryOct 26, 2020 - 10:26 p.m.

Microsoft IE Browser Death March Hastens

Tom Spring





As the death of the once dominant Internet Explorer (IE) draws closer, Microsoft is quickly pounding more nails into the browser’s coffin.

On Monday, Microsoft hastened its IE-to-Edge browser-transition strategy and announced new controls for users and IT staff when it comes to how the lame-duck browser will handle a growing list of websites incompatible with IE. Those include YouTube, Twitter, Yahoo Mail and 1,153 other leading internet destinations.

Microsoft also announced that in two short weeks, its own services would no longer be supported by 25-year-old browser that once crushed Netscape and other competitors. In 2004 IE enjoyed 95 percent market share. Today, an estimated 5 percent of users rely on it.

As a point of reference, the Microsoft Edge web browser comes built into Windows 10. In 2015 Microsoft said it would replace IE with Edge in an effort to support modern browser functions, such as extensions. In 2018, it announced further efforts to streamline its development — Edge be rebuilt on the Chromium rendering engine, which is the same code that Google’s Chrome browser uses.

Internet Explorer alert regarding Edge BrowserIE: The Long Goodbye

Part of IE’s shuttering entails redirecting users to the Microsoft Edge 87, to be released November 17. However, BleepingComputer reported that the redirects have already begun.

Last Monday, Microsoft explained that users of IE who visited an incompatible website would be presented with an interstitial webpage alerting them they were being redirected to Microsoft Edge. An opt-in prompt asks consent to copy a user’s browsing data and preferences from Internet Explorer to Microsoft Edge. In addition to that, a website incompatibility banner will appear below the address bar for every redirection, Microsoft said.

On Monday, Microsoft released instructions on how IT staff can change the behavior of Internet Explorer when it lands on an incompatible site.

  • One option is configuring IE to not redirect to Edge “RedirectSitesFromInternetExplorerPreventBHOInstall”.
  • A second option “RedirectSitesFromInternetExplorerRedirectMode” allows IE to open sites in Edge – and browser data and user preferences are automatically imported.
  • The third option doesn’t import browser data and user preferences, but hides any incompatibility warning message and redirects IE to Edge.

“Redirection from Internet Explorer to Microsoft Edge requires an Internet Explorer Browser Helper Object (BHO) named ‘IEtoEdge BHO,'” Microsoft explained.

“These policies will be available as ADMX file updates by October 26, 2020 and will be available in Intune by November 9, 2020,” wrote Microsoft. ADMX files are Windows registry-based policy settings that are XML-based and define policy settings and browser behaviors.

Security and Privacy Concerns?

For many, there will be few tears when IE is finally put out to pasture. The browser, which was the centerpiece to a 2001 antitrust lawsuit between United States and Microsoft, has a spotty history when it comes to security, privacy and compatibility.

There are more than a few reasons there will be no love lost with the expiration of IE. Since 2000, there have been over 1,000 serious vulnerabilities tied to it. The majority (28 percent) are tied to code-execution bugs, 25 percent related to IE memory-corruption flaws and 20 percent buffer-overflow vulnerabilities, according to CVE Details.

For an exhaustive look at the history of major IE bugs, Paul Szabo has an impressive collection.

The browser, often standardized within corporations, was the bane of many security teams because of Microsoft’s chronic foot dragging when it came to patching. In 2014, the U.S. Department of Homeland Security advised companies and Windows XP users to ditch IE until Microsoft fixed a use-after-free bug that allowed unauthorized remote code execution.

Privacy concerns have also been paramount for users of IE, with many feeling that Microsoft’s access to browsing data coupled with services and application data was unsettling. Those Microsoft anxieties have been muted over time as massive data collected by Google, Facebook and Amazon have normalized the behavior.

Things have come full circle, with some arguing switching to Microsoft’s Edge Chromium browser is a way to avoid Google’s data collection, while still being able to reap the benefits the same browser engine.

“Microsoft Edge gives more privacy than Chrome, Google Chrome uses its user’s data to give a personalized advertisement for its revenue which would also make,” wrote a Microsoft contributor to its Tech Community.

That’s not to say Microsoft Edge doesn’t have security concerns.

On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of a Microsoft Edge memory-corruption flaw (CVE-2020-15999) rated high-risk. However, unlike with IE, this bug was tied to Google Chromium code and was patched last week. At the time, Google warned that adversaries were exploiting the bug in the wild.

Final Farewell

“Internet Explorer 11 is the last major version of Internet Explorer. Internet Explorer 11 will continue receiving security updates and technical support for the lifecycle of the version of Windows on which it is installed,” wrote Microsoft. Mainstream support for Windows 10 ends Oct. 13, 2020. Extended support, according to Microsoft, ends on Oct. 14, 2025.