Sage Advice - Cybersecurity Blog

Five Facts You Should Know About Internet Explorer Lifecycle Support

internet-explorer-iconBeing aware of Internet Explorer lifecycle support, and how it impacts your organization are important.  Beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates.  For systems running Windows 7 SP1 this means only Internet Explorer 11 will be supported.  The table shown below lists the most current version of Internet Explorer by operating system. 

 

Windows Desktop
Internet Explorer Version
Windows Vista SP2
Internet Explorer 9
Windows 7 SP1
Internet Explorer 11
Windows 8.1
Internet Explorer 11
Windows Server 2008 SP2
Internet Explorer 9
Windows Server 2008 R2 SP1
Internet Explorer 11
Windows Server 2012
Internet Explorer 10
Windows Server 2012 R2
Internet Explorer 11

 

Even though unsupported versions of Internet Explorer will continue to operate:

  • Microsoft will stop developing and releasing security patches for end of life versions of Internet Explorer.
  • Microsoft will not provide technical support for unsupported versions of Internet Explorer.
  • Support for end-of-lifecycle versions of Internet Explorer will be dropped completely from Windows desktop and server operating systems.

This is a serious concern.  It is estimated that 20% of current desktop systems are running Internet Explorer 8.  Organizations that continue to use Internet Explorer past end-of-life will endanger their customers, employees, and communities.  This could result in costly security, compliance, and liability issues.

Fact 1: The risk of exploit increases EVERY DAY.

Vulnerabilities are weaknesses that enable an attacker to compromise the integrity, availability, or confidentiality of information or information systems.  An exploit takes advantage of vulnerabilities to infect, disrupt, cripple, or take control of a computer without the user’s consent and typically without their knowledge.  Exploits target vulnerabilities in operating systems, web browsers, applications, or software components that are installed on the computer.

Between 2009 and 2015, more than 260 Internet Explorer 8 security vulnerabilities were identified.  On January 12, 2016, Microsoft will stop developing and releasing security patches for end-of-lifecycle versions of Internet Explorer.  There is no question that criminals will continue to develop malware to exploit unpatched Internet Explorer weaknesses.  There just will not be a corresponding fix.

Fact 2: Organizations running unsupported versions of Internet Explorer will not be PCI compliant.

Organizations that continue to use unsupported versions of Internet Explorer in their cardholder environment will no longer be compliant with the PCI Data Security Standard.  This is because running an unsupported browser conflicts with PCI DSS V3.0 Requirement 6.2, which states that you must, “Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.”

Fact 3: Organizations running unsupported versions of Internet Explorer will no longer be in compliance with information security regulations.

The HIPAA Security Rule requires that covered entities and business associates assess risk and ensure that appropriate safeguards are in place to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).  The GLBA Security Rule requires that financial institutions assess risk and ensure that appropriate safeguards are in place to ensure the confidentiality, integrity, and security of non-public personal information (NPPI) of customers.  There is no doubt that continuing to use an unsupported and vulnerable browser is contrary to both HIPAA and GLBA requirements.

Fact 4: Organizations experiencing a breach may find themselves in an indefensible position.

We know that those with malicious intent will continually scan company networks for weaknesses.  End-of-life software is an open invitation to launch an attack which may result in a costly data breach.  Continuing to run an unsupported software is an indefensible position and may result in legal liability, as well as denial of insurance coverage.

Fact 5: IE isn’t the only product reaching end-of-life.

Windows Internet and Security Acceleration Server 2004 end-of-life date was April 14; 2015 Windows Server 2003 end-of-life is date is July 14, 2015; and .NET Framework 4 – 4.5.1 end-of-life is January 12, 2016.

The lifecycle status of all of your organization’s products should be documented.  You can use the Microsoft Product Lifecycle Search tool to learn more about the Microsoft operating systems and applications available at http://support.microsoft.com/lifecycle/search

microsoft-lifecycle-search

Microsoft is recommending for businesses that still rely on internal applications that require an older version of Internet Explorer to use Enterprise Mode for Internet Explorer 11.  For more information on Enterprise Mode, refer to: http://blogs.msdn.com/b/ie/archive/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11.aspx.

 


No one is immune to cyber-attacks

Preventative security controls are not enough to protect you in today’s ever-expanding threat landscape. Stop a potential breach in its tracks with Tyler Detect. We find new threats before mainstream automated tools even know they exist, and with better awareness than your internal team.

Learn More

 

Topics: Compliance, Security Policy

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More