As pre-IE11 support ends, scrambling for workarounds

For our security manager, the two big issues are the browsers his users employ, and the versions supported by the corporate website.

Time flies. It seems like just yesterday we heard that Microsoft would stop supporting older versions of Internet Explorer. But it was over a year ago that it announced that support would end for all IE browser versions older than version 11. And the deadline is now upon us all: Jan. 16, 2016.

The main impact of this to security professionals is that Microsoft will stop providing security updates and technical support for all earlier versions of IE. (Microsoft describes this policy on an FAQ page.) This means that vulnerabilities will start accumulating in those older browsers, without fixes, so they will become increasingly dangerous to use as the months pass. By next March, I expect there to be several unfixable vulnerabilities with active exploits in the wild that will lead users of those older IE versions to certain compromise. So clearly, those versions no longer have a place in any professional organization.

This causes my company two pain points: the browsers our employees use, and the versions supported by our corporate website. As part of our browser conversion effort, we have been testing IE11 extensively, and have found that many things will break when we stop supporting older browsers.

For example, there are many commercial websites my company’s employees need to use for various business purposes that only support IE9. Those other companies have not yet updated their websites to work with IE11, and their general position has been that we should continue to use IE9 to access their services. I don’t have much influence over those service providers. Some of them are quite large, well-known companies that are influential enough to make their own rules, and they really don’t care about my situation at all.

Our company’s website was also designed with custom code tailored to older browser versions that were current at the time the content was developed, a few years ago. In retrospect, that doesn’t seem like a very good idea. The website developers should have either used a standard set of code that worked universally among all browsers, or put in place an ongoing process to keep revising code to be compatible with new browser versions. But nobody seems to have thought of that, so we are in much the same situation as those service providers — our move to support IE11 is dependent on upgrading our commercial Web services.

So we have two projects that are currently racing the clock: upgrading our browsers, and updating our own website. And it’s turning out that updating our website is the easier of the two. You might think that upgrading our end-user systems would be less work than hiring a team of programmers to change our website content, but that’s not true. We expect to have our website IE11-ready in a couple of weeks, so our customers will be able to get full functionality on the latest browser version. But in order to be ready for Microsoft’s deadline, we will need to run two browser versions on many of our desktop computers.

For business-specific browsing to third-party services that only support IE9, we have created a “locked-down” version of IE9. It runs in a virtual container that has those business sites whitelisted through Active Directory Group Policy, so it can only be used to go to those sites. This is a bit of a pain for our employees, because they have to keep track and remember to use the right browser in the right situation, instead of just using one browser as they’re used to. But that’s the best we can do for now.

For general Web browsing to sites that support the latest browsers, we have provided IE11 on everybody’s desktop. We will continue patching that version until support ends in 2020, which seems a long way away — but I’m sure that deadline will creep up on us just like this one did.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet Explorer

More about ClickMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place