The legacy IE survivor's guide: Firefox, Chrome... more IE?

Ask yourself, how many times do you want to rewrite?

Internet Security Threat Report 2014

Windows XP and IE6 users will be thrown to the wolves on 9 April, 2014. That's when Microsoft finally – after more than a decade – stops releasing security updates for operating system and browser.

Twelve years after it was released, IE6, Microsoft legacy web browser, refuses to die, with usage ranging from 0.2 per cent market share in the US and 0.5 per cent in the UK up to a whopping 22 per cent in China. Britain's taxman, HMRC was, until recently, running IE6 on 85,000 Windows XP PCs.

That's despite five browsers since it was released, two of those compatible with Windows XP with application of the appropriate service packs – SPs 2 and 3 at least give you IE7 and IE8.

Those on IE7 and IE8 are relatively safe – until support for these browsers' release operating system, Windows Vista, expires on 11 April, 2017. But, beware: even now, IE7 and IE8 are in Microsoft's "extended support mode" – same as IE6. Extended support means you get the security fixes – for now.

It's time to stop ignoring the IE6 deadline or procrastinating, browser peeps. It might not seem like the end of security updates would be that big of a deal for IE6 - after all, it's been nearly 15 years now, haven't attackers found all the vulnerabilities out there already? And just because you've got three to four more years doesn't mean IE7 and IE8 people shouldn't pay attention, too.

A blueprint for attackers

The problem on IE6 is, even if that were true – and it's not – Microsoft will continue to issue security updates for Windows Vista, Windows 7 and Windows 8, which means attackers have a script to work from when going after Windows XP.

As Tim Rains, Microsoft's Director of Trustworthy Computing, wrote in a blog post earlier this year: "The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities."


HMRC: Ran IE6 on 85,000 PCs

In other words, every security update Microsoft releases after April 2014 will serve as a blueprint for how to attack Windows XP. Windows XP won't necessarily be vulnerable to them all, but all it takes is one.

If you've long since left Windows XP behind, you may wonder why others have stuck with it for so long. The answer, particularly in the enterprise sector, is software. Legacy software that would be too expensive, or, in some cases, very time consuming to re-write keeps many a business soldier on with XP.

Much of that software happens to be browser-based – intranet apps written specifically for Internet Explorer 6, Widows XP's default browser.

The problems for IE6 holdouts – even those on IE7 and IE8 – are problems of history and standards. IE6 in particular landed big style on a lot of desktops becoming a corporate standard because businesses upgraded as part of an IT infrastructure modernisation stimulated by Y2K spending.

The longer they've stayed, the more they've been left behind by the web. Moving to IE7 and IE8 hasn't helped, either. That's because, pretty much, pre-IE9 Microsoft was not standards-compliant and rendered the web purely using its own legacy, black-box architecture. Things only started to change when Microsoft introduced dual rendering along with greater standards compliance in IE8 and then brand-new rendering engine in IE9.

IE6 used Microsoft's Trident rendering engine, optimised in a typically Microsoft way to play Microsoft's Active X framework for the web, which updated the company's existing COM and OLE diagramming software.

Only since IE9 has Microsoft improved Trident significantly to support more web standards. With IE9, Redmond also introduced a new JScript engine called Chakra - Jscript is Microsoft's implementation of the ECMAscript standard - which significantly speeds up Javascript processing times in recent versions of IE.

During this time, Microsoft has kept people safely ensconced on the proprietary stack by feeding out the support pipeline. While that's been in place, there's been no reason to change. Until now. Or rather, next April, when security support finishes.

If - and when - you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants

You've got to have standards

When Windows XP is swept into the dustbin of computing history, there's an excellent argument for writing apps that conform to web standards rather than the browser du jour.

Out on the web, this lesson was learned the hard way when IE6 lost market share and websites that required it were forced to change to web standards. These days websites and web apps are developed against web standards and will work in any browser that supports those standards.

If you've got legacy apps that require IE6, here's the good news: if – and when – you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants. Once you've written apps to industry-standards versions of HTML CSS and Javascript, the apps should run on most browsers tanks to their use of standards-compliant rendering engines.

If IE is still your cup of tea, IE9 gives you a more standards-like view of the web. That's when Microsoft deployed its Chakra rendering engine, the manifestation of the company's near Saul-like embrace of web standards in its browser.

Firefox uses the Gecko rendering engine, a community project under an open-source licence. until quite recently, Google's Chrome browser used the WebKit engine under a BSD and GNU LGP licence. But now – along with other Chromium-based browsers like Opera – it has moved to its own WebKit fork, Blink. The difference – theoretically – between these is speed, with the race of recent years being to render one's browser in the shortest space of time.

The reality is, the degree of difficulty you'll experience in converting your apps to work in modern browsers will – as ever – vary. If your app just uses non-standard CSS and consequently renders poorly in modern browsers, it likely won't be too hard to update it.

Intelligent flash storage arrays

Next page: The ActiveX factor

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
Soz, web devs: Google snatches its Wallet off the table
Killing off web service in 3 months... but app-happy bonkers are fine
First in line to order a Nexus 6? AT&T has a BRICK for you
Black Screen of Death plagues early Google-mobe batch
prev story


Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?