Internet Explorer (IE) will finally catch up with rival browsers next week when it begins blocking out-of-date ActiveX controls.
In a move described by Microsoft as being specifically about ActiveX, the new blocklist contains but one offender – Oracle's Java ActiveX control.
Fred Pullen, IE's product manager, and Jasika Bawa, security program manager, said that Microsoft will maintain the blocklist and add to it as other vulnerabilities are released or discovered.
The approach taken to Java is unsurprising really as older versions
of the plugin have often been used as an attack vector. In fact,
Microsoft's own security research
estimates that between 84.6 and 98.5 percent of all web-based exploits
in 2013 took advantage of Java vulnerabilities. Therefore blocking
out-of-date Java plugins has the potential to go a long way towards
securing end-user systems.
The upcoming block will not be an immovable barrier though – Internet
Explorer will give the user the ability to override it on a one-off
basis. Additionally, it will not apply to the Local Intranet Zone and
Trusted Sites Zone, which will allow business customers to maintain
compatibility via the continuing use of obsolete plugins where no viable
alternative exists, whilst protecting them from web-based threats.
The only downside to this good news is that the out-of-date ActiveX
blocking feature will only work with the company's most recent versions
of its operating system. Only users of Windows 7 SP1 or Windows 8 will
get it, and even then they will need to be running Internet Explorer 8
or later.
With that in mind, Internet Explorer users should also note that Microsoft will be ceasing support for older versions of its browser.
With that in mind, Internet Explorer users should also note that Microsoft will be ceasing support for older versions of its browser.
Historically, Microsoft has released each new version of its
operating system with five years of mainstream support, backed up with a
further five years of extended support. That means Windows, and all of
the software that comes bundled with it, benefit from a total of ten
years' service (or eleven in the case of Windows XP anti-malware support.
This level of dedication towards supporting older products may
explain why so many home and business users have stuck with older
versions of Windows for so long.
Now, however, Microsoft is keen to push users onto more up-to-date versions of its software. So unless you have a spare £5.5m
down the back of your sofa, you should really consider upgrading to a
current operating system before support for older versions of IE ends on
January 12, 2016.
From that time, only the following browser and operating system combinations will be supported:
- Vista SP2 and Windows 2008 SP with Internet Explorer 9
- Windows Server with Internet Explorer 10
- Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 R2 with Internet Explorer 11
Roger Capriotti, IE's director, said:
For customers not yet running the latest browser available for your operating system, we encourage you to upgrade and stay up-to-date for a faster, more secure browsing experience.
As
close to 60% of web users still reportedly use IE, Microsoft's plan to
bring everyone onto modern versions of its browser are welcome, if a little late.
Its main competitors - Chrome and Firefox – enjoy a far higher rate
of new version adoption of their browsers whilst the majority of
Internet Explorer users are still stuck on version 8, which probably explains why Microsoft chose that version as the cut-off for ActiveX controls.
Even though IE users appear to somewhat slower in adopting newer,
more secure versions of their browser, either due to a lack of
knowledge, motivation to install latest versions, or simply because
Microsoft were not pushing them with a big enough stick, it does not
mean that users of competing browsers can rest easy.
The PWN2OWN competition that ran back in March this year certainly
showed that Internet Explorer was susceptible to attack, but Firefox
fared worse and Chrome and Safari were far from immune either.
Ironically, the only PWN2OWN "winner" was Oracle's Java plugin that wasn't exploited at all, leading Chester Wisniewski to wonder if we should banish our browser woes by downloading the HotJava browser.
0 comments:
Post a Comment