Microsoft brings Internet Explorer’s security into the 21st century

library
crime | hacking | security

Internet Explorer (IE) will finally catch up with rival browsers next week when it begins blocking out-of-date ActiveX controls.

In a move described by Microsoft as being specifically about ActiveX, the new blocklist contains but one offender – Oracle’s Java ActiveX control.

Fred Pullen, IE’s product manager, and Jasika Bawa, security program manager, said that Microsoft will maintain the blocklist and add to it as other vulnerabilities are released or discovered.

The approach taken to Java is unsurprising really as older versions of the plugin have often been used as an attack vector. In fact, Microsoft’s own security research estimates that between 84.6 and 98.5 percent of all web-based exploits in 2013 took advantage of Java vulnerabilities. Therefore blocking out-of-date Java plugins has the potential to go a long way towards securing end-user systems.

The upcoming block will not be an immovable barrier though – Internet Explorer will give the user the ability to override it on a one-off basis. Additionally, it will not apply to the Local Intranet Zone and Trusted Sites Zone, which will allow business customers to maintain compatibility via the continuing use of obsolete plugins where no viable alternative exists, whilst protecting them from web-based threats.

The only downside to this good news is that the out-of-date ActiveX blocking feature will only work with the company’s most recent versions of its operating system. Only users of Windows 7 SP1 or Windows 8 will get it, and even then they will need to be running Internet Explorer 8 or later.
With that in mind, Internet Explorer users should also note that Microsoft will be ceasing support for older versions of its browser.

Historically, Microsoft has released each new version of its operating system with five years of mainstream support, backed up with a further five years of extended support. That means Windows, and all of the software that comes bundled with it, benefit from a total of ten years’ service (or eleven in the case of Windows XP anti-malware support.

This level of dedication towards supporting older products may explain why so many home and business users have stuck with older versions of Windows for so long, though I’m sure many readers may point to Vista and Windows 8 and say they are as good a reason as any to stick with XP.

Now, however, Microsoft is keen to push users onto more up-to-date versions of its software. So unless you have a spare £5.5m down the back of your sofa, you should really consider upgrading to a current operating system before support for older versions of IE ends on January 12, 2016.

From that time, only the following browser and operating system combinations will be supported:

Vista SP2 and Windows 2008 SP with Internet Explorer 9
Windows Server with Internet Explorer 10
Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2 with Internet Explorer 11

Roger Capriotti, IE’s director, said:

For customers not yet running the latest browser available for your operating system, we encourage you to upgrade and stay up-to-date for a faster, more secure browsing experience.

As close to 60% of web users still reportedly use IE, Microsoft’s plan to bring everyone onto modern versions of its browser are welcome, if a little late.

Its main competitors – Chrome and Firefox – enjoy a far higher rate of new version adoption of their browsers whilst the majority of Internet Explorer users are still stuck on version 8, which probably explains why Microsoft chose that version as the cut-off for ActiveX controls.

Even though IE users appear to somewhat slower in adopting newer, more secure versions of their browser, either due to a lack of knowledge, motivation to install latest versions, or simply because Microsoft were not pushing them with a big enough stick, it does not mean that users of competing browsers can rest easy.

The PWN2OWN competition that ran back in March this year certainly showed that Internet Explorer was susceptible to attack, but Firefox fared worse and Chrome and Safari were far from immune either.

Ironically, the only PWN2OWN “winner” was Oracle’s Java plugin that wasn’t exploited at all, leading Chester Wisniewski to wonder if we should banish our browser woes by downloading the HotJava browser.