Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Windows XP die-hards can slash attack risk by dumping IE

Gregg Keizer | May 14, 2014
Microsoft's patch stats support advice to switch to another browser.

Hackers can apply the same code-comparison techniques to the IE patches to create exploits for the browser on XP.

For those keeping score, that's 19 IE vulnerabilities and 15 Windows XP bugs with reverse engineering potential. Put another way, eliminating IE from the XP scenario would have reduced the attack surface by 57% last year.

Microsoft doesn't see it that way.

"Changing browsers won't mitigate this risk, as most of the exploits used in such attacks aren't related to browsers," Tim Rains, a director in Microsoft's Trustworthy Computing group said in March when he named Web browsing the No. 1 risk to users still running Windows XP.

The numbers say different, as do experts who don't work for Microsoft.

"You shouldn't be using IE on XP," said Michael Silver, an analyst with Gartner, in an interview last week. "The only reason to run IE on XP is to get to an enterprise's internal websites."

Silver gave his no-IE-on-XP advice after Microsoft patched the browser on May 1 to quash a bug that hackers had already been exploiting. Microsoft patched all versions of IE, but more importantly, broke with policy by offering the fixes to Windows XP users. At the time, Microsoft said it had decided to patch IE on XP — even though the latter had exited support — because it was just weeks after XP's retirement.

"For most enterprises, another lesson to learn [from the patch exception of May 1] is that users are pretty comfortable using multiple browsers," said John Pescatore, director of emerging security trends at the SANS Institute, a security training organization. "Most have tried to lock users into one browser, but that's a problem. The world has changed. Companies should get away from requiring just one browser."

In March, the U.S. Computer Emergency Readiness Team (US-CERT) told people who planned to stick with Windows XP to dump IE and replace it with a different browser to eliminate the former's now-unpatched vulnerabilities.

Google will continue to patch Chrome on XP until at least April 2015, and neither Mozilla or Opera Software have plans to drop support for Firefox and Opera any time soon.


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.