Microsoft’s official end-of-support for the Internet Explorer 11 desktop application on June 15 relegated to history a browser that’s been around for almost 27 years. Even so, IE still likely will provide a juicy target for attackers.
That’s because some organizations are still using Internet Explorer (IE) despite Microsoft’s long-known plans to deprecate the technology. Microsoft meanwhile has retained the MSHTML (aka Trident) IE browser engine as part of Windows 11 until 2029, allowing organizations to run in IE mode while they transition to the Microsoft Edge browser. In other words, IE isn’t dead just yet, nor are threats to it.
Though IE has a negligible share of the browser market worldwide these days (0.52%), many enterprises still run it or have legacy applications tied to IE. This appears to be the case in countries such as Japan and Korea. Stories in Nikkei Asia and Japan Times this week quoted a survey by Keyman’s Net showing that nearly 49% of 350 Japanese companies surveyed are still using IE. Another report in South Korea’s MBN pointed to several large organizations still running IE.
“Internet Explorer has been around for over 20 years and many companies have invested in using it for many things beyond just Web browsing,” says Todd Schell, senior product manager at Ivanti. There are still enterprise applications tied closely to IE that often are running older, customized scripts on their website or have apps that may require older scripts. “For example, companies may have built extensive scripts that generate and then display reports in IE. They have not invested in updating them to use HTML 5 for Edge or other modern browsers.”
Such organizations face the sort of security issues associated with every other software technology that is no longer supported. Running IE 11 as a standalone app past its end of support date means that previously unknown — or worse yet, known but unpatched — vulnerabilities can be exploited going forward, Schell says.
“This is true for any application or operating system but has historically been an even bigger issue for browsers, which have such widespread use,” Schell says. It’s hard to say how many organizations worldwide are presently stuck using a technology that is no longer supported because they did not migrate away sooner. But judging by the fact that Microsoft will continue to support compatibility mode in Edge until 2029, IE likely remains in widespread use, he notes.
Any organization that hasn’t already should prioritize moving away from IE because of the security implications, says Claire Tills, senior research engineer at Tenable. “The end of support means that new vulnerabilities will not get security patches if they don’t meet a certain criticality threshold and, even in those rare cases, those updates will only be available to customers who have paid for Extended Security Updates,” she says.
Bugs Still Abound
Microsoft Edge has now officially replaced the Internet Explorer 11 desktop app on Windows 10. But the fact that the MSHTML engine will exist as part of the Windows operating system through 2029 means organizations are at risk of vulnerabilities in the browser engine — even if they are no longer using IE.
According to Maddie Stone, security researcher at Google’s Project Zero bug hunting team, IE has had a fair number of zero-day bugs over the past years, even as its use shrank. Last year, for example, the Project Zero team tracked four zero-days in IE — the most since 2016, when the same number of zero-days were discovered in the browser. Three of the four zero-day vulnerabilities last year (CVE-2021-26411, CVE-2021-33742, and CVE-2021-40444) targeted MSHTML and were exploited via methods other than the Web, Stone says.
“It’s not clear to me how Microsoft may or may not lock down access to MSHTML in the future,” Stone says. “But if the access stays as it is now it means that attackers can exploit vulnerabilities in MSHTML through routes such as Office documents and other file types as we saw last year” with the three MSHTML zero-days, she says. The number of zero-day exploits detected in the wild targeting IE components has been pretty consistent from 2015 to 2021 and suggests that the browser remains a popular target for attackers, Stone says.
Tenable’s Tills notes that one of the more widely exploited vulnerabilities in a Microsoft product in 2021 was in fact CVE-2021-40444, a remote code execution zero day in MSHTML. The vulnerability was exploited extensively in phishing attacks by everything from ransomware-as-a-service operators to advanced persistent threat groups.
“Given that Microsoft will continue to support MSHTML, organizations should examine the mitigations for vulnerabilities like CVE-2021-40444 and determine which they can adopt long term to reduce the risk of future vulnerabilities,” Tills notes.
The Usual Mitigations
Microsoft was not available as of this post to comment on the issue of potential risk for organizations from attacks targeting MSHTML. But Ivanti’s Schell says it is reasonable to assume that Microsoft has provided proper security and sandboxing around MSHTML when running in IE compatibility mode. He says Microsoft can monitor and provide any needed updates to MSHTML since it is a supported product and feature. The best mitigation, as always, is for organizations to keep their software, OS, and browser updated and ensure antiviral and malware detection mechanisms are up-to-date as well.
“MSHTML is now just one of many libraries that we have in Windows 11,” says Johannes Ullrich, dean of research at the SANS Institute. “Of course, it is a complex one, and one that still has a significant but somewhat reduced attack surface,” he notes. So, the best mitigation for organizations is to keep patching Windows when updates become available, he says.
“IE is still popular enough to be a worthwhile target” for attackers, Ullrich adds.
Even so, the continuing number of zero-days being discovered in IE doesn’t necessarily mean that attackers have suddenly intensified their interest in attacking it. “It may just be that it was easier to find vulnerabilities using newer tools in the old IE codebase,” Ullrich says.
