At the start of the year, Microsoft warned Internet users that using Internet Explorer posed risks: the browser is no longer updated and security flaws are accumulating. So are there still long-standing users of IE?
Those using the Internet for less than 20 years may not know of the browser Internet Explorer. Abandoned around ten years ago in favour of Firefox and then Chrome, we imagined IE sacrificed on the altar of (many) waning digital stars. To the point of becoming a popular geek joke: while it weeps and asks "what is my purpose?" IE receives the response "you download Chrome". There is nothing more to say.
And yet, here we are in 2019 and many businesses are still using Internet Explorer for their internal web applications. Is this eccentricity? Fierce resistance to the Alphabet empire? No. If businesses are still using IE, it is essentially due to habit, a lack of resources to migrate, or a lack of cyber awareness…
The rise and fall of Internet Explorer
"To understand, we need to go back to the arrival of IE 6 in 2001. Twenty years ago, IE was more or less the only browser that existed as it was provided with Windows", says Robert Wakim, Offers Manager at Stormshield. "At the same time, web development and its related technologies such as JavaScript and CSS were only just emerging. There was still no standard and Microsoft used its IE platform to enable its partners to provide third party applications to its clients." You know the expression to put all your eggs in one basket? Businesses then developed internal applications that relied fully on Internet Explorer and used the non-standardised mechanics internal to IE. They didn't know it yet but the battle of the browsers that would follow was going to impact their business.
Twenty years later, the top three web browsers are shaken up by the successive arrival of Firefox (2002) and Chrome (2008), which brings an end to the dominance of IE. Today, Chrome is the leading browser used worldwide (67.88% market share in March 2019, 63.29% in France in February 2019), followed by Firefox (9.27% in March 2019, 14.31% in France in February 2019). Far from its past dominance, Internet Explorer plummeted to 7.34% (around 5% in France, source: ZDNet). Result: businesses that have built their internal ecosystems on IE have inherited applications that cannot be operated on other browsers. "We find ourselves with two versions of web applications: the standardised version for everyone and the proprietary version for IE 6 and Microsoft. From a cybersecurity perspective, this poses real problems as it requires users of these applications to have IE 6 or the correct version of IE installed on their machine", warns Robert Wakim. However, these versions are no longer updated. Besides which Microsoft decided to bring an end to its browser.
RIP IE?
Last February, in an article entitled "The perils of using Internet Explorer as your default Internet browser", published on Microsoft's official blog, Chris Jackson warned that "Internet Explorer is not adapted to new Web standards, and even if many sites continue to run properly, the developers no longer test their site on there". "From a cybersecurity point of view, we are in the worst situation possible", says Robert Wakim. "That's to say that the technological building block that is used to support a company's business is no longer updated." A Zero-day vulnerability affecting IE 11 was as a result discovered last April. A few months before, in December 2018, Microsoft had to release an emergency patch for Internet Explorer due to a critical vulnerability.
— Mă̋rcelo Elizeche Landó (@melizeche) 2 août 2017
"It's an interesting situation", says Florian Bonnet, Product Management Director at Stormshield. "OK, so IE is no longer updated. However, when you look closely, you notice that Microsoft continues to support IE from a security perspective at the time of serious flaws. They are capable of releasing patches to correct vulnerabilities. And if they do so, it's because they know very well that today there are many IE applications and they cannot afford to say that they will no longer do anything." Does Microsoft not abandon its vulnerable users due to the issue of image or because it has a real awareness of cybersecurity? The debate is under way.
How many IE applications are there exactly? Who still uses IE? It's difficult to say. "There is no particular sector, we find IE used in administration as well as in health or industry for example", says Florian Bonnet. "It is complicated to estimate the percentage of businesses that use IE. It concerns applications used internally, so we don't have any data on this", says Robert Wakim, who states however that: "we are talking about internal software, which has very often been customised for the company: intranet, accounting software, stock management software, etc." Strategic applications for the business which, if they were compromised, could bring all or part of its activity to a standstill.
Migrate or stay with IE?
Nevertheless, the businesses concerned have an ever decreasing window of opportunity to adapt as Internet Explorer security updates are expected to end by 2025. First response: protect your user station. A solution such as Stormshield Endpoint Security (SES) is based on behavioural analysis that can quickly identify a series of malicious actions and therefore detect an attack and react. "This solution makes it possible to guard against certain attacks. SES can in particular detect changes to rights by looking at the behaviour of programs to detect if they are trying to do something that is not normal", says Florian Bonnet.
Another possible option: put Internet Explorer in a virtual machine and ask its users to start it when they need the application. "This makes it possible to create a clean version of IE each time it is used", says Robert Wakim. "But it is a short-term solution. It is clear that in the long term, the only way of maintaining security is to migrate to other browsers, which means fully rebuilding the entire application."
For some businesses or institutions, this can be up to 40 or 50 applications, with the issue of competitiveness and maintaining the activity beyond. Better to anticipate and start now. "They have six years to secure a budget and migrate their applications", says Florian Bonnet. "2025 will soon be upon us. And the more the internal software is complicated, the more time will be needed for analysis, redesign, development, migration of old data, validation and adoption, etc. We are working on projects that will easily take 24 or 36 months", warns Robert Wakim. And what if businesses do nothing? According to Florian Bonnet, they run a real risk: "They may continue to use IE internally but they will no longer have any security patches. They will use it at their own risk."