A post from Advent IM Security Consultant, Chris Cope.
Do you use Microsoft Internet Explorer? Are you using a version of Windows older than 8.1? If the answer to these questions is yes ,or even don’t know, then you need to keep on reading.
On 12 January 2016, Microsoft will only provide security updates to Internet Explorer 11; previous versions will no longer be supported. Version 11 is the last release of Microsoft’s long running Internet Explorer browser, with Microsoft Edge now supplied by default on newer versions of Windows, version 10 onwards. Internet Explorer 11 was made available for Windows 8.1 on 17 October 2013 and on 7 November 2013 for Windows 7, but for users who have been running Windows 7 for some time, an older version of Internet Explorer may be installed, which could include versions 8, 9 and 10. If you are using Microsoft Vista, or earlier, then you will definitely have a version of Internet Explorer which will no longer be supported.
What does this mean for home users and organisations? Security updates from vendors such as Microsoft aim to deal with software vulnerabilities that are present in a wide range of applications. Many applications are released with vulnerabilities which aren’t identified until after their official release, or become apparent following other in-service updates. The vulnerabilities are identified by either the vendor company, or a third party, and the race is then on to ensure that the vulnerability can be patched before it is exploited by an attacker. These vulnerabilities can lead to a number of attacks, including buffer overflows, remote code execution and privilege escalation. All of these attacks should be avoided by anyone who is serious about keeping their company, or personal, IT systems secure.
Without enduring support from Microsoft, any future vulnerabilities in Internet Explorer Version 8, 9 and 10 will not be treated. It would be wrong to assume that just because Internet Explorer has been in-service for a significant amount of time, all the vulnerabilities would have been identified and patched by now. Vulnerabilities are routinely discovered on older, as well as newer, software.
So what do you need to do about this? Organisations should confirm that if Internet Explorer is installed, it has been updated to Version 11. Home users should do the same. If you are using a Windows operating system that is older than 8.1, then it is highly likely that you are using an older version of Internet Explorer. Visiting the Microsoft website will enable you to confirm the Internet Explorer version and upgrade, you can also check yourself by opening the browser, finding settings and clicking on ‘About Internet Explorer’. If you have an older version, then upgrades are available from the Microsoft website. Even if you don’t use Internet Explorer, if you have a Windows based computer, it is highly likely that Internet Explorer has been installed, even if another browser has been installed afterwards and is now used by default. Even software which isn’t used can be a vulnerability which an attacker can exploit. Some organisations may find it difficult to update a particular piece of software across a network in a short time frame. If Internet Explorer cannot be upgraded to version 11 by the 12th, then the potential risks that the organisation now faces should be properly assessed, with mitigating actions put in place.