Feeds

The legacy IE survivor's guide: Firefox, Chrome... more IE?

Ask yourself, how many times do you want to rewrite?

Providing a secure and efficient Helpdesk

Windows XP and IE6 users will be thrown to the wolves on 9 April, 2014. That's when Microsoft finally – after more than a decade – stops releasing security updates for operating system and browser.

Twelve years after it was released, IE6, Microsoft legacy web browser, refuses to die, with usage ranging from 0.2 per cent market share in the US and 0.5 per cent in the UK up to a whopping 22 per cent in China. Britain's taxman, HMRC was, until recently, running IE6 on 85,000 Windows XP PCs.

That's despite five browsers since it was released, two of those compatible with Windows XP with application of the appropriate service packs – SPs 2 and 3 at least give you IE7 and IE8.

Those on IE7 and IE8 are relatively safe – until support for these browsers' release operating system, Windows Vista, expires on 11 April, 2017. But, beware: even now, IE7 and IE8 are in Microsoft's "extended support mode" – same as IE6. Extended support means you get the security fixes – for now.

It's time to stop ignoring the IE6 deadline or procrastinating, browser peeps. It might not seem like the end of security updates would be that big of a deal for IE6 - after all, it's been nearly 15 years now, haven't attackers found all the vulnerabilities out there already? And just because you've got three to four more years doesn't mean IE7 and IE8 people shouldn't pay attention, too.

A blueprint for attackers

The problem on IE6 is, even if that were true – and it's not – Microsoft will continue to issue security updates for Windows Vista, Windows 7 and Windows 8, which means attackers have a script to work from when going after Windows XP.

As Tim Rains, Microsoft's Director of Trustworthy Computing, wrote in a blog post earlier this year: "The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities."

HMRC

HMRC: Ran IE6 on 85,000 PCs

In other words, every security update Microsoft releases after April 2014 will serve as a blueprint for how to attack Windows XP. Windows XP won't necessarily be vulnerable to them all, but all it takes is one.

If you've long since left Windows XP behind, you may wonder why others have stuck with it for so long. The answer, particularly in the enterprise sector, is software. Legacy software that would be too expensive, or, in some cases, very time consuming to re-write keeps many a business soldier on with XP.

Much of that software happens to be browser-based – intranet apps written specifically for Internet Explorer 6, Widows XP's default browser.

The problems for IE6 holdouts – even those on IE7 and IE8 – are problems of history and standards. IE6 in particular landed big style on a lot of desktops becoming a corporate standard because businesses upgraded as part of an IT infrastructure modernisation stimulated by Y2K spending.

The longer they've stayed, the more they've been left behind by the web. Moving to IE7 and IE8 hasn't helped, either. That's because, pretty much, pre-IE9 Microsoft was not standards-compliant and rendered the web purely using its own legacy, black-box architecture. Things only started to change when Microsoft introduced dual rendering along with greater standards compliance in IE8 and then brand-new rendering engine in IE9.

IE6 used Microsoft's Trident rendering engine, optimised in a typically Microsoft way to play Microsoft's Active X framework for the web, which updated the company's existing COM and OLE diagramming software.

Only since IE9 has Microsoft improved Trident significantly to support more web standards. With IE9, Redmond also introduced a new JScript engine called Chakra - Jscript is Microsoft's implementation of the ECMAscript standard - which significantly speeds up Javascript processing times in recent versions of IE.

During this time, Microsoft has kept people safely ensconced on the proprietary stack by feeding out the support pipeline. While that's been in place, there's been no reason to change. Until now. Or rather, next April, when security support finishes.

If - and when - you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants

You've got to have standards

When Windows XP is swept into the dustbin of computing history, there's an excellent argument for writing apps that conform to web standards rather than the browser du jour.

Out on the web, this lesson was learned the hard way when IE6 lost market share and websites that required it were forced to change to web standards. These days websites and web apps are developed against web standards and will work in any browser that supports those standards.

If you've got legacy apps that require IE6, here's the good news: if – and when – you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants. Once you've written apps to industry-standards versions of HTML CSS and Javascript, the apps should run on most browsers tanks to their use of standards-compliant rendering engines.

If IE is still your cup of tea, IE9 gives you a more standards-like view of the web. That's when Microsoft deployed its Chakra rendering engine, the manifestation of the company's near Saul-like embrace of web standards in its browser.

Firefox uses the Gecko rendering engine, a community project under an open-source licence. until quite recently, Google's Chrome browser used the WebKit engine under a BSD and GNU LGP licence. But now – along with other Chromium-based browsers like Opera – it has moved to its own WebKit fork, Blink. The difference – theoretically – between these is speed, with the race of recent years being to render one's browser in the shortest space of time.

The reality is, the degree of difficulty you'll experience in converting your apps to work in modern browsers will – as ever – vary. If your app just uses non-standard CSS and consequently renders poorly in modern browsers, it likely won't be too hard to update it.

Reducing the cost and complexity of web vulnerability management

Next page: The ActiveX factor

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.