Internet Explorer has been retired, but it is still a target for Cyberattacks
On June 15, Microsoft officially ended support for the Internet Explorer 11 desktop application, putting an end to a browser that had been around for nearly 27 years. Regardless, IE will continue to be a tempting target for Cyberattacks. This is because, despite Microsoft’s long-known plans to phase out Internet Explorer (IE), some organizations continue to use the technology. Meanwhile, Microsoft has kept the MSHTML (aka Trident) IE browser engine in Windows 11 until 2029, allowing organizations to continue using IE while transitioning to the Microsoft Edge browser. In other words, IE isn’t dead yet, and neither are the cyberattacks threats to it.
Despite having a negligible share of the global browser market (0.52%), many enterprises continue to use it or have legacy applications that rely on it. This appears to be the case in places like Japan and Korea. A survey found that nearly 49 percent of 350 Japanese companies still use Internet Explorer. According to another report in South Korea’s MBN, several large organizations are still using IE.
Internet Explorer has been around for more than 20 years, and many businesses have invested in using it for many things other than Web browsing. There are still enterprise applications that are tightly linked to IE and frequently run older, customized scripts on their website or have apps that may require older scripts. Companies, for example, may have developed complex scripts that generate and then display reports in Internet Explorer. They have not made any investments in upgrading them to use HTML 5 for Edge or other modern browsers.
These organizations face cyber attack issues like any other software technology that is no longer supported. Running IE 11 as a standalone app after its end of support date means previously unknown or, worse, known but unpatched vulnerabilities can be exploited in the future. This is true for any application or operating system, but it has historically been an even bigger issue for browsers because they are so widely used. It’s difficult to say how many organizations around the world are still using a technology that is no longer supported because they didn’t migrate away sooner. However, given that Microsoft will continue to support compatibility mode in Edge until 2029, believes that IE will continue to be widely used.
Bugs are still prevalent
On Windows 10, Microsoft Edge has officially replaced the Internet Explorer 11 desktop app. However, because the MSHTML engine will remain a part of the Windows operating system until 2029, organizations are vulnerable to browser engine vulnerabilities even if they no longer use IE.
IE has had a fair number of zero-day bugs in recent years, despite its decreasing use. For example, the Project Zero team tracked four zero-days in Internet Explorer last year, the most since 2016, when the same number of zero-days were discovered in the browser. According to Stone, three of the four zero-day vulnerabilities discovered last year (CVE-2021-26411, CVE-2021-33742, and CVE-2021-40444) targeted MSHTML and were exploited via methods other than the Web.
Microsoft might or might not restrict access to MSHTML in the future. However, if access remains as it is now, it means that attackers can exploit MSHTML vulnerabilities through routes such as Office documents and other file types, as we saw last year with the three MSHTML zero-days. The number of zero-day exploits discovered in the wild targeting IE components has been fairly consistent from 2015 to 2021, indicating that the browser remains a popular target for attackers.
Tenable’s Tills notes that CVE-2021-40444, a remote code execution zero-day in MSHTML, was one of the most widely exploited vulnerabilities in a Microsoft product in 2021. From ransomware-as-a-service operators to advanced persistent threat groups, the vulnerability was widely exploited in phishing attacks.
Given that Microsoft will continue to support MSHTML organizations should examine the mitigations for vulnerabilities like CVE-2021-40444 and determine which they can adopt in the long term to reduce the risk of future vulnerabilities.
As of this writing, Microsoft was unavailable to comment on the issue of the potential risk to organizations from MSHTML attacks. However, it is reasonable to assume that Microsoft has provided adequate security and sandboxing around MSHTML when run in IE compatibility mode. MSHTML is a supported product and feature, Microsoft can monitor it and provide any necessary updates. The best mitigation, as always, is for organizations to keep their software, operating system, and browser up to date, as well as their antiviral and malware detection mechanisms.
MSHTML is now just one of many libraries that we have in Windows 11. SANS Institute’s dean of research, of course, it’s a complex one, with a significant but somewhat reduced attack surface. According to him, the best mitigation for organizations is to continue patching Windows as new updates become available. IE is still popular enough to be a worthwhile target for attackers. Nonetheless, the continued discovery of zero-day vulnerabilities in IE does not necessarily imply that attackers’ interest in attacking it has suddenly increased. It could simply be that finding vulnerabilities in the old IE codebase was easier with newer tools.