Internet Explorer is over. What happened?

Microsoft will end support for IE11 on a list of Windows versions. The company means versions of Windows 10 shipped through the semi-annual channel on systems running Windows and Windows 10 IoT client SKUs. Internet Explorer is also not available on Windows 11, which defaults to Chromium-based Microsoft Edge. However, IE will be available on some versions of Windows after June 15, 2022:

According to Microsoft, Internet Explorer 11 for operating systems that Microsoft support at the moment will receive lifetime security updates and technical support. In addition, the Edge browser will be able to select IE11 mode, which maintains backward compatibility with the original browser. This mode will be maintained until 2029.

Internet Explorer history. Why didn’t they discontinue it earlier?

Internet Explorer was one of the first web browsers available for the broad market. Appeared in 1995¹, it was competing with Netscape Navigator – the predecessor of Mozilla Firefox. Their confrontation is known as the First Browser War – and IE emerged victorious from this fight. By 2003, the default Windows browser had the absolute dominance of the browser market, accounting for about 95% of all users. His hegemony began crushing with the release of Mozilla Firefox – released by the defeated team of developers.

Still, the high market share does not mean that the product is ideal. In the late ‘90s, when there were no alternatives, Explorer was OK with its functionality and speed. However, the appearance of a broadband connection uncovered a ridiculous slowness of the IE. The JavaScript handling approaches were aimed at data saving, suitable for dialup connections – but inappropriate for high-speed Internet. The appearance of Firefox showed how browsers must actually look and work. That apparently was very contrast to what Internet explorer was offering. Slow, buggy, and vulnerable to malware injection, Explorer began losing the market share extremely quickly. But Microsoft did not pay any attention to the problem – the IE 7 that was intended to fix some of the problems was released in 2006, together with Windows Vista.

Slowness, huge amounts of bugs, delayed implementation of new features and compatibility issues created a halo of ill fame around Microsoft’s brainchild. Even the release of Internet Explorer 9, which had a lot of new features and finally got rid of the fabulous slowness, was not able to break the stereotypes. The tech giant from Redmond failed at that stage of the browser war – but that did not mean they stopped their attempts. Internet Explorer got its niche, and the complete discontinuation of its support was not advantageous for both Microsoft and its users. A decade after the Mozilla release, the market share of Internet Explorer was around 10% of the whole market. Meanwhile, Chrome had about 45% – an absolute monopoly in the browser market.

Why did Microsoft keep supporting Explorer?

Besides the disadvantages that made IE so unfavourable, Microsoft kept supporting it even after releasing the MS Edge browser together with Windows 10. The newbie is based on Chromium core, and practically has the same list of functions as was offered by the regular Chrome. Folks were sceptical about it, but then the public opinion on it changed. Microsoft did a great job on mistakes – and created a well-done browser, not amazing, but with its own unique features. For example, in Windows 11, it received extended web security abilities – thanks to its deep integration with the operating system and Windows Defender. But the latter is the other sad story of Microsoft software products.

Explorer had its niche, and it was generally infrastructure elements. Cash machines, information stands, interactive menus in restaurants – all of them were running the Explorer. The reason was the ability to ask Microsoft to create some specific functionality for them – an impossible thing for the broad-market browsers like the aforementioned Chrome. Internet Explorer runs on the proprietary MSHTML/Chakra engine, which can be adjusted only by Microsoft. Enterprise technologies always try to rely on other enterprise technologies, and that is the example.

Disabling it at the moment of the Edge release (that would be sudden) was inappropriate for both sides of this symbiosis. Therefore, MS decided just to stop the development of the IE – by keeping the support available. In July 2016, a year after the MS Edge release, the market share of IE shed to 5.4%. By 2021, the share of IE decreased to about 0.5% of the market – with Edge having a 3.5% share. That is miserable compared to Microsoft’s market share in the desktop OS market – over 80%.

The post Internet Explorer shutdown. The Epithaf appeared first on Gridinsoft Blog.

Currently, many users have already abandoned Internet Explorer, which has lived more than quarter of a century, but the company plans to drive final nail in the coffin of the browser on June 15, 2022, as Microsoft will focus on Edge.

While the Windows 10 servicing model known as the Long-Term Servicing Channel (LTSC) will continue to include Internet Explorer next year, all custom versions will no longer support the browser. Microsoft has not yet clarified, but most likely the last time Internet Explorer will appear on Windows will be in June 2022 or a little later.

An alternative for corporate users will be Microsoft Edge with IE mode. IE mode in Edge was introduced a few years ago, and with it, users can access legacy sites through the new Chromium-based browser.

IE Mode supports legacy ActiveX frameworks and legacy sites and is very popular with many companies. Microsoft promises to support IE mode in Edge until at least 2029.

The end of the life cycle of Internet Explorer occurs in several stages. Microsoft ended support for Internet Explorer 11 in the Microsoft Teams web app last year and plans to close its access to Microsoft 365 services this year. Internet Explorer 11 will no longer be supported by online services such as Office 365, OneDrive, Outlook, and more. from 17 August 2022.

Microsoft has been trying to convince users to abandon Internet Explorer for over five years. Microsoft Edge first appeared in 2015 and marked the beginning of the end of the Internet Explorer brand. Since then, the company has positioned IE not as a browser, but as a “compatibility solution,” and urged the company to ditch Internet Explorer in favour of Edge and IE mode.

Let me remind you that in January 2020, Microsoft reported a zero-day vulnerability in Internet Explorer, which the attackers had already used for “limited targeted attacks.”

The post Microsoft will end support for Internet Explorer in 2022 appeared first on Gridinsoft Blog.

The authors of the report write that many problems could have been avoided if the developers immediately corrected their products more thoroughly.

In 2020, thanks to the work of the Google Project Zero team, were identified 24 zero-day vulnerabilities, which were actively exploited by hackers. Six of them (in Chrome, Firefox, Internet Explorer, Safari and Windows) turned out to be new versions of previously known vulnerabilities. Supposedly, attackers carefully studied the old bug reports, figured out the original problems, and then created new versions of exploits for them.

In addition, three other issues that were discovered last year and affected Chrome, Internet Explorer and Windows were not fully fixed, that is, they eventually required additional patches. In fact, if hackers carefully studied the released fixes, they could discover a way to allow them to continue exploiting bugs and attacks.

Google Project Zero experts advise their colleagues to analyze 0-day vulnerabilities deeper and learn to work with such problems. Once the Google Project Zero team was created specifically to search and research zero-day vulnerabilities, and now its experts say that 0-day bugs are a kind of “window” that allows looking into the heads of attackers, learn as much as possible about possible attack vectors , classes of problems and how to deal with them.

Let me remind you that in the fall Google Project Zero discovered a 0-day vulnerability in the Windows kernel.

The post Google says that a quarter of all 0-day vulnerabilities are new variations of old problems appeared first on Gridinsoft Blog.

The current number of 0-day problems indicates that, most likely, that overall this year will be identified the same number of zero-day vulnerabilities, as in 2019 (20).

The link above leads to the company’s internal statistics, which Google specialists collected and tracked since 2014. So, for the first half of 2020, experts included the following problems in their list.

1. Firefox (CVE-2019-17026)

The bug that received the identifier CVE-2019-17026 was discovered by experts from the Chinese company Qihoo 360, and it was associated with the work of IonMonkey – the JavaScript JIT compiler SpiderMonkey, the main component of the Firefox kernel responsible for JavaScript operations (JavaScript engine of the browser). The vulnerability has been classified as type confusion.

The patches are included with Firefox 72.0.1 and are available here.

2. Internet Explorer (CVE-2020-0674)

The problem was exploited by the North Korean hacker group DarkHotel, in conjunction with the aforementioned 0-day bug in the Firefox browser. Both issues have been used to track targets in China and Japan, and have been discovered by Qihoo 360 and JP-CERT experts. Victims of this campaign were redirected to a site where either a Firefox or IE vulnerability was exploited; later victims were infected with the RAT Gh0st.

The patches are included in the February “Patch Tuesday” and are available here.

3. Chrome (CVE-2020-6418)

The vulnerability was identified by experts from the Google Threat Analysis Group, but there are no details about the attacks that exploited the problem.

The bug was fixed with the release of Chrome version 80.0.3987.122, patches are available here.

4 and 5. Trend Micro OfficeScan (CVE-2020-8467 and CVE-2020-8468).

Trend Micro employees spotted both zero days. The bugs supposely have been discovered when Trend Micro investigated a different, older zero-day issue in the same product, used for hacking of Mitsubishi Electric.

The patches can be found here.

6 and 7. Firefox (CVE-2020-6819 and CVE-2020-6820)

Detailed information about the attacks that used these 0-days has not yet been published, although cybersecurity researchers speculate that these problems could be part of a chain of exploits.

Vulnerabilities are fixed in Firefox 74.0.1, patches are available here.

8, 9, and 10. Microsoft (CVE-2020-0938, CVE-2020-1020, and CVE-2020-1027)

Google experts found and reported about all three bugs to Microsoft engineers. As with most other Google Threat Analysis Group “discoveries”, the details of these issues are kept secret and nothing is known about the attacks. The vulnerabilities were fixed as part of the April “update Tuesday”, patches are available here.

11. Sophos XG Firewall (CVE 2020-12271)

Earlier in 2020, an unknown group of hackers discovered and exploited this vulnerability. Later Sophos experts said that using the bug, hackers tried to deploy the Ragnarok ransomware on infected hosts, but the company said that it blocked most of the attempts.

Patches are available here.

Let me remind you that in 2019, Google specialists discovered 20 zero-day vulnerabilities, 11 of which were found in Microsoft products.

At the same time, experts explain that Microsoft has the most bugs, as there are more security tools designed to detect bugs in Windows.

The post Google: 11 0-day vulnerabilities identified in the first half of 2020 appeared first on Gridinsoft Blog.

Recall that back in January 2020, Microsoft reported a zero-day vulnerability in Internet Explorer, which the attackers had already used for “limited targeted attacks.”

The problem received the identifier CVE-2020-0674 and was associated with a vulnerability in the Firefox browser, which also became known in January. Apparently, the mentioned “limited attacks” were part of a larger hacker campaign, which also included attacks on users of Firefox.

“The problem was related to the IE script engine and violation of the integrity of memory information. Exploiting the vulnerability allows an attacker to execute arbitrary code in the context of the current user. To do this, just lure the IE user to a malicious site”, – Microsoft specialists describe this sensational vulnerability.

After an official patch has been released for CVE-2020-0674, Microsoft reported that Google Analytics Group and Chinese experts from Qihoo 360 originally detected the problem.

While Google did not publish any information about the operation of the bug, Qihoo 360 reports that the problem is associated with hacker’s band DarkHotel, which many researchers link with North Korea.

Information about four more vulnerabilities that received patches this month was publicly disclosed before release of fixes (however, any of these problems was used for attacks): these are two privilege escalation errors in Windows Installer (CVE-2020-0683 and CVE-2020 -0686), Secure Boot bypass (CVE-2020-0689), and information disclosure vulnerability in Edge and IE browsers (CVE-2020-0706).

“Most of the critical problems this month are RCE vulnerabilities and bugs related to the violation of the integrity of information in memory. The Chakra scripting engine, the Media Foundation component and LNK files received corrections for such defects”, – say the experts.

Separately, it is worth highlighting the problems found in Remote Desktop: two RCE vulnerabilities allowed remote execution of arbitrary code on the client side (CVE-2020-0681 and CVE-2020-0734).

Additionally, another problem of remote execution of arbitrary code (CVE-2020-0688) was fixed in Exchange. It could be exploited using malicious emails.

Let me remind you that no patches will help Windows 7 users, farewell system updates were for the last time released in January and the company no longer supports them for free.

Recently, however, the Free Software Foundation called on Microsoft to open Windows 7 code for the free-war support, but it is unlikely that the vendor will take this offer.

The post Microsoft fixed 0-day vulnerability in Internet Explorer and 99 more bugs in its products appeared first on Gridinsoft Blog.

Just a few days after the end of official support for Windows 7, it became known about a critical vulnerability in Internet Explorer, and the question arose whether the outdated OS would receive a fix.

According to Microsoft, the patch for the vulnerability will receive only Windows 7 users, which paid for extended support, and users of the home version of the OS will be left without an update.

“Now support has been discontinued; users without paid advanced support will no longer receive security updates. We continue to strive to help our customers stay safe as they upgrade their systems and upgrade to Windows 10. We understand that while we provide enough time to upgrade, some customers still lack it, so we offer them several options. Services like Microsoft FastTrack help speed up migration; you can also use the service “Virtual Desktop Windows” (includes three-year extended support for security updates) or arrange paid extended support. After the end of the support period, we will continue to work with our customers according to the most suitable course”, – told Beta News Microsoft representatives.

Recall that on January 14 of this year, Microsoft discontinued official support for Windows 7. This means that the company will no longer provide technical support, software updates, security updates, and patches for vulnerabilities.

On January 17 was reported about zero-day vulnerability in Internet Explorer (CVE-2020-0674). The vulnerability allows remote execution of arbitrary code on the system and is already exploited by cybercriminals in real attacks.

Currently, only a temporary micropatch is available for the problem and can be found on the 0patch platform.

According to the administration of the service, over the next three years it will release micro-patches for vulnerabilities in Windows 7 so that users will not be left alone with their devices.

The community of the My Digital Life online forum has found an illegal way to extend support for Windows 7: bypass Microsoft’s restrictions and allow the installation of Windows 7 Extended Security Updates on all systems. An illegal version of the OS is unlikely to help from this vulnerability.

The post Windows 7 users will not receive a patch for critical vulnerability in the IE appeared first on Gridinsoft Blog.

The problem received the identifier CVE-2020-0674 and it is associated with a vulnerability in the Firefox browser. Apparently, the mentioned “limited attacks” are part of a larger hacker campaign, which also included attacks on Firefox users.

“The problem is with the IE script engine and violation of the integrity of memory information. Exploiting the vulnerability allows an attacker to execute arbitrary code in the context of the current user. To do this, just lure the IE user to a malicious site”, — say Microsoft experts.

According to Microsoft, the vulnerability affects Internet Explorer 9, 10 and 11 when running on Windows 7, 8.1, 10, Server 2008, Server 2012, Server 2016 and Server 2019. However, there is no official patch for the vulnerability yet; instead were published safety (ADV200001) to help reduce risks. Interestingly, described by Microsoft measures can “lead to reduced functionality of components or functions that depend on jscript.dll.

Specialists at ACROS Security, the developer of the 0patch solution, have discovered that Microsoft recommendations can lead to a number of negative side effects, including:

• Windows Media Player stops playing MP4 files;
• The sfc tool, which checks the integrity of protected system files and replaces the incorrect versions with the correct ones, experiences problems with jscript.dll with changed permissions;
• Printing via Microsoft Print to PDF is broken;
• PAC scripts may not work.

This platform is designed specifically for such situations, as fixing for 0-day and other unpatched vulnerabilities to support products that are no longer supported by manufacturers, custom software, and so on. As a result, the developers of 0patch prepared and released a micropatch for Internet Explorer 11, ready for use on devices running Windows 7, Windows 10 1709, 1803 and 1809, Windows Server 2008 R2 and Windows Server 2019. It is reported that the patch is suitable for users of Windows 7 and Windows Server 2008 R2, for which Microsoft is unlikely to release hotfixes.

Our micropatch works as a switch that disables or enables the use of the vulnerable jscript.dll file by the Internet Explorer browser component in various applications (IE, Outlook, Word, and so on). In addition, our micropatch is designed in such a way as to avoid negative side effects that may occur after applying the methods recommended by Microsoft to neutralize the problem”, — the developers explain.

It is worth noting that Windows Media Player is an exception: the 0patch micropatch does not work for this application, since it in any case displays a security warning if a potential attacker tries to use it as an attack vector.

How scary it is to live with Windows: only recently I told you that the next day after the release of the fix for one of the most dangerous vulnerabilities in the history of Windows, security researcher Saleem Rashid demonstrated how it can be used to present a malicious site as any site on the Internet in terms of cryptography.

The post Temporary patch for 0-day vulnerability in Internet Explorer arrived on the Internet appeared first on Gridinsoft Blog.