The Ghost of Internet Explorer Will Haunt the Web for Years
After years of decline and a final wind-down over the past 13 months, on Wednesday Microsoft confirmed the retirement of Internet Explorer, the company’s long-lived and increasingly notorious web browser. Launched in 1995, IE came preinstalled on Windows computers for almost two decades, and like Windows XP, Internet Explorer became a mainstay—to the point that when it was time for users to upgrade and move on, they often didn’t. And while last week’s milestone will push even more users off the historic browser, security researchers emphasize that IE and its many security vulnerabilities are far from gone.
In the coming months, Microsoft will disable the IE app on Windows 10 devices, guiding users instead to its next-generation Edge browser, first released in 2015. The IE icon will still remain on users’ desktops, though, and Edge incorporates a service called “IE mode” to preserve access to old websites built for Internet Explorer. Microsoft says it will support IE mode through at least 2029. Additionally, IE will still work for now on all supported versions of Windows 8.1, Windows 7 with Microsoft’s Extended Security Updates, and Windows Server, though the company says it will eventually phase IE out in these, too.
Seven years after the debut of Edge, industry analysis indicates that Internet Explorer may still hold more than half a percent of the total global browser market share. And in the United States, that share may be closer to as much as 2 percent.
“I do think we’ve made progress, and we probably won’t see as many exploits against IE in the future, but we will still have remnants of Internet Explorer for a long time that scammers can take advantage of,” says Ronnie Tokazowski, a longtime independent malware researcher and principal threat advisor at the cybersecurity firm Cofense. “Internet Explorer as the browser will be gone, but there are still pieces that exist.”
For something that’s been around as long as IE, backward compatibility is difficult to balance with the desire for a clean slate. “We haven’t forgotten that some parts of the web still rely on Internet Explorer’s specific behaviors and features,” Sean Lyndersay, the general manager of Microsoft Edge Enterprise, wrote in an IE retrospective on Wednesday, pointing to IE mode.
But he added that there was a real need to start over with Edge rather than trying to salvage IE. “The web has evolved and so have browsers,” he wrote last week. “Incremental improvements to Internet Explorer couldn’t match the general improvements to the web at large, so we started fresh.”
Microsoft says it will still support IE’s underlying browser engine, known as “MSHTML,” and it has its eye on versions of Windows still “used in critical environments.” But Maddie Stone, a researcher for Google’s Project Zero vulnerability hunting team, points out that hackers are still exploiting IE vulnerabilities in real-world attacks.
“Since we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we’ve ever tracked, even though Internet Explorer’s market share of web browser users continues to decrease,” she wrote in April, referring to previously unknown vulnerabilities, called zero-days. “Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn’t use Internet Explorer as their internet browser.”
In her analysis, Stone particularly noted that while the number of new IE vulnerabilities Project Zero has detected has remained fairly constant, attackers have shifted over the years to increasingly target the MSHTML browser engine through malicious files like tainted Office documents. This could mean that neutering the IE application won’t immediately change attack trends that are already in motion.
Given how difficult it has been to rein in Internet Explorer at all, Microsoft and IE users around the world have certainly come a long way. But for a browser that’s supposed to be dead, IE still very much loads with the living.