After years with decline and a final phase-out over the past 13 months, Microsoft on Wednesday confirmed that Internet Explorer, the company’s long-lived and increasingly infamous web browser, has retired. IE was launched in 1995 and came pre-installed on Windows computers for almost two decades, and like Windows XP, Internet Explorer became a cornerstone – to the point that when it was time for users to upgrade and move on, they often did not. And while last week’s milestone will push even more users away from the historic browser, security researchers stress that IE and its many security vulnerabilities are far from gone.
In the coming months, Microsoft will disable the IE app on Windows 10 devices and instead guide users to its next-generation Edge browser, first released in 2015. However, the IE icon will still remain on users’ desktops, and Edge will incorporate a service called “IE Mode” to maintain access to old Web sites built for Internet Explorer. Microsoft says it will support IE mode through at least 2029. In addition, IE will still work for now on all supported versions of Windows 8.1, Windows 7 with Microsoft’s enhanced security updates and Windows Server, although the company says it will eventually phase out IE also in these.
Seven years after the debut of Edge, industry analysis indicates that Internet Explorer can still have more than half a percent of the total global browser market share. And in the U.S., that share could be closer to as much as 2 percent.
“I think we’ve made progress and we probably will not see as many exploits against IE in the future, but we will still have remnants of Internet Explorer for a long time that scammers can take advantage of,” says Ronnie Tokazowski, a long-time independent malware researcher. “Internet Explorer as the browser will be gone, but there are still parts that exist.”
For something that has been around for as long as IE, backward compatibility is hard to balance with the desire for a clean slate. “We have not forgotten that some parts of the Internet are still dependent on the specific behaviors and functions of Internet Explorer,” said Sean Lyndersay, general manager of Microsoft Edge Enterprise. wrote in an IE retrospective Wednesday pointing to IE mode.
But he added that there was a real need to start over with Edge instead of trying to save IE. “The web has evolved, and so have browsers,” he wrote last week. “Incremental improvements to Internet Explorer could not match the overall improvements to the Internet in general, so we started fresh.”
Microsoft says it will still support IE’s underlying browser engine, known as “MSHTML,” and it is eyeing versions of Windows that are still “used in critical environments.” But Maddie Stone, a researcher for Google’s Project Zero vulnerability hunting team, points out that hackers are still exploiting IE vulnerabilities in real-world attacks.
“Since we started tracking in-the-wild 0-days, Internet Explorer has had a fairly consistent number of 0-days each year. 2021 actually tied for 2016 for the wildest Internet Explorer 0-days we’ve ever tracked, though Internet Explorer’s market share of web browser users continues to decline, ”she said wrote in April, citing unprecedented vulnerabilities, called zero-days. “Internet Explorer is still a mature attack surface for initial access to Windows machines, even if the user does not use Internet Explorer as their Internet browser.”
In his analysis, Stone noted in particular that although the number of new IE vulnerabilities that Project Zero has discovered has remained fairly constant, attackers have shifted over the years to increasingly targeting the MSHTML browser engine through malicious files such as spotted Office documents. . This may mean that castrating the IE application will not immediately change attack trends already underway.
Given how difficult it has been to rein in Internet Explorer at all, Microsoft and IE users around the world have certainly come a long way. But for a browser that is supposed to be dead, IE is still very much filled with the living ones.