US-CERT urges XP users to dump IE

If customers must run XP after April 8, switch to alternate browser that still gets patches, advises team from Dept. of Homeland Security

People who plan to run Windows XP after Microsoft pulls the patch plug should dump Internet Explorer (IE) and replace it with a different browser, the U.S. Computer Emergency Readiness Team (US-CERT) said Monday.

US-CERT is part of the U.S. Department of Homeland Security, and regularly issues security warnings and threat alerts.

"Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a Web browser other than Internet Explorer," US-CERT said in a Monday bulletin. "The Windows XP versions of some alternative browsers will continue to receive support temporarily. Users should consult the support pages of their chosen alternative browser for more details."

US-CERT's advice was not new: Security companies and experts have said the same before.

Because Microsoft ties support for Internet Explorer (IE) to the underlying operating system's end date, people running Windows XP will also not receive patches for IE7 or IE8, although others, including customers running the same browsers on Windows Vista and Windows 7, will continue to receive fixes.

IE6, which debuted several months before XP in 2001, will be retired from all support next month.

With IE patches ending, security professionals have urged people sticking with XP to run a browser that will receive bug fixes, like Google's Chrome, Mozilla's Firefox and Opera Software's Opera.

That anything-but-IE advice stems from on the fact that Windows malware often enters a PC by exploiting a browser vulnerability. Exploits of unpatched bugs, described as "drive-by attacks," only require the user to browse to a malicious or compromised website, where attack code has been pre-planted.

Chrome will be patched until at least April 2015, Google pledged last October, leaving the door open to a later stop date.

However, Mozilla declined to specify a patch-until date when asked Monday.

"We listen to our users closely, and right now many of them are on XP and expect to stay on that platform. We have not announced any end of support for Firefox on XP at this time," said Chad Weiner, director of product management, in an email response to questions.

Mozilla typically discusses impending support stoppages on its planning forum months before it discontinues updates for an operating system. Developers have not begun talking there about dropping support for Windows XP Service Pack 2 (SP2) or SP3.

And Mozilla often supports an OS long after its maker has stopped: The last version of Firefox that ran on Windows XP SP1, the patch roll-up Microsoft quit supporting in October 2006, was Firefox 12, which shipped in April 2012.

Previously, Opera has issued statements along the lines of Mozilla's but it did not immediately reply to questions today, including whether it has set a firm end-of-support date for Windows XP.

Current XP users are most likely running IE8, the latest browser supported by the OS, because in early 2012 Microsoft began automatically upgrading users to the newest version of IE supported by a given operating system.

According to measurement firm Net Applications, IE8 accounted for 37.3% of all instances of Internet Explorer used in February. IE6, the version originally released with XP, accounted for 8% of all copies of Internet Explorer, a high percentage considering that Microsoft had gone to great lengths to eradicate that version.

Chrome, Firefox and Opera can be downloaded from the websites of Google, Mozilla and Opera Software.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is gkeizer@computerworld.com.

See more by Gregg Keizer on Computerworld.com.

Read more about windows in Computerworld's Windows Topic Center.

This story, "US-CERT urges XP users to dump IE" was originally published by Computerworld.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies