How risky will it be to run old IE after Microsoft's 2016 patch stoppage?

Microsoft's decision to stop patching older versions of Internet Explorer (IE) in 17 months may not be as much of a show-stopper as many assume, according to an analysis by Computerworld.

A week ago, Microsoft abruptly announced that it would give customers until Jan. 12, 2016, to stop using older versions of IE. After that date, Microsoft will support IE9 only on Windows Vista, IE10 only on Windows Server 2012, and IE11 on Windows 7 and Windows 8.1.

IE7 and IE8 will drop off support completely, and IE9 and IE10 will also fall off the list for Windows 7 users. The browsers will continue working, but Microsoft will halt both technical support and security updates for the banned versions.

Because of the large number of critical vulnerabilities Microsoft patches in its browser -- 111 in the last three months -- it will be extremely risky running an unsupported version.

Or will it?

While there will be risk, running an outdated version of IE is actually a safer bet than running a current edition that isn't regularly patched.

Over the last three months, Microsoft has shipped three large security updates -- MS14-035 in June, MS14-037 in July and MS14-051 in August -- that included 60, 25 and 26 individual patches, respectively.

But while the latest version, IE11, contained 88 of the 111 vulnerabilities, or 79% of the total, older editions had far fewer bugs that needed to be quashed.

The positively ancient IE7, which launched in 2006 before Windows Vista shipped, had just 31 of the 111 flaws, or 28% of the total. IE8, which last month was the most widely used version of Internet Explorer, contained 44 vulnerabilities, or 40% of the three-month tally.

In fact, there's a clear trend in the vulnerability counts: The newer the version of IE, the more bugs are patched. That difference in percentage of bugs patched declined on a relatively straight line from new to old, and held true to form whether the gap was two or more years between editions -- as in the case of IE7 and IE8, or IE8 and IE9 -- or just a year, as with IE9-IE10 and IE10-IE11.

There are several likely reasons for the phenomenon, but the most plausible is that, because the older versions are, well, older -- in the case of IE7 and IE8, much older, nearly eight years old and more than five years old, respectively -- they have been scrutinized by both outside researchers and Microsoft for much longer. That longer length of examination and probing has resulted in more patches prior to the three-month stint Computerworld examined.

Other explanations could include bug hunters' penchant for digging into the newest software, not the oldest; and in the case of IE7 at least, a target so small as to be no longer worth the research time by criminals and white-hats alike. IE7's user share, a rough measurement of the percentage of the world's computer users running a specific browser, was just 0.6% in July, which translated into just 1% of those running one flavor or another of Internet Explorer.

Of course, all it takes is one vulnerability to compromise a browser, or better put, perhaps no more than two or three, as modern browsers, including IE, rely on defensive, anti-malware technologies that force attackers to deploy multiple exploits of multiple bugs to worm their way onto a PC.

A regularly-patched IE11, then, should be immune to all but the most serious attacks, dubbed "zero-days" because there is no patch when the exploit appears in the wild. In the meantime, IE8 after Jan. 12, 2016, will in theory be susceptible to attack because none of its bugs will be crushed.

At that time, however, IE8 should be more secure than it is now.

By looking at the difference in vulnerability rates, with an older version of IE having 12 to 14 percentage points fewer bugs to be patched, and extrapolating that to IE8, it should sport a bug rate of between 26% and 28% by January 2016, assuming Microsoft puts out a new version (IE12?) next spring when it launches "Threshold," the code name for what most think will be called "Windows 9."

And IE8 will also probably be a less-prominent target in 17 months.

Data from Web metrics company Net Applications -- the basis of the user share cited for IE7 -- is worthless in predicting IE8's decline because, frankly, IE8's user share has been growing over the last six months. But the impending end-of-support will almost certainly reverse that trend as some Windows 7 users decide to kick out the browser.

How much is unclear, but a look at Windows XP's decline over its last 17 months might be a clue: During that period, XP's operating system user share dropped 13 percentage points, or 32% of its October 2012 figure.

If IE8 fell by that same 32%, it would shed nearly 7 percentage points, ending with a user share of 14.7% of all browsers, or about 25% of all IE editions.

Microsoft has published a FAQ on its website that elaborated on the browser support changes.

Because older editions of Internet Explorer typically contain fewer yet-to-fix flaws, they may not be as much of a risk to run after Microsoft stops patching IE7, IE8, IE9 and IE10 on Windows 7 in 17 months than people might assume. (Data: Microsoft security bulletins.)

Read more about applications in Computerworld's Applications Topic Center.

This story, "How risky will it be to run old IE after Microsoft's 2016 patch stoppage?" was originally published by Computerworld.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies