The legacy IE survivor's guide: Firefox, Chrome... more IE?

Ask yourself, how many times do you want to rewrite?

Intelligent flash storage arrays

Windows XP and IE6 users will be thrown to the wolves on 9 April, 2014. That's when Microsoft finally – after more than a decade – stops releasing security updates for operating system and browser.

Twelve years after it was released, IE6, Microsoft legacy web browser, refuses to die, with usage ranging from 0.2 per cent market share in the US and 0.5 per cent in the UK up to a whopping 22 per cent in China. Britain's taxman, HMRC was, until recently, running IE6 on 85,000 Windows XP PCs.

That's despite five browsers since it was released, two of those compatible with Windows XP with application of the appropriate service packs – SPs 2 and 3 at least give you IE7 and IE8.

Those on IE7 and IE8 are relatively safe – until support for these browsers' release operating system, Windows Vista, expires on 11 April, 2017. But, beware: even now, IE7 and IE8 are in Microsoft's "extended support mode" – same as IE6. Extended support means you get the security fixes – for now.

It's time to stop ignoring the IE6 deadline or procrastinating, browser peeps. It might not seem like the end of security updates would be that big of a deal for IE6 - after all, it's been nearly 15 years now, haven't attackers found all the vulnerabilities out there already? And just because you've got three to four more years doesn't mean IE7 and IE8 people shouldn't pay attention, too.

A blueprint for attackers

The problem on IE6 is, even if that were true – and it's not – Microsoft will continue to issue security updates for Windows Vista, Windows 7 and Windows 8, which means attackers have a script to work from when going after Windows XP.

As Tim Rains, Microsoft's Director of Trustworthy Computing, wrote in a blog post earlier this year: "The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities."


HMRC: Ran IE6 on 85,000 PCs

In other words, every security update Microsoft releases after April 2014 will serve as a blueprint for how to attack Windows XP. Windows XP won't necessarily be vulnerable to them all, but all it takes is one.

If you've long since left Windows XP behind, you may wonder why others have stuck with it for so long. The answer, particularly in the enterprise sector, is software. Legacy software that would be too expensive, or, in some cases, very time consuming to re-write keeps many a business soldier on with XP.

Much of that software happens to be browser-based – intranet apps written specifically for Internet Explorer 6, Widows XP's default browser.

The problems for IE6 holdouts – even those on IE7 and IE8 – are problems of history and standards. IE6 in particular landed big style on a lot of desktops becoming a corporate standard because businesses upgraded as part of an IT infrastructure modernisation stimulated by Y2K spending.

The longer they've stayed, the more they've been left behind by the web. Moving to IE7 and IE8 hasn't helped, either. That's because, pretty much, pre-IE9 Microsoft was not standards-compliant and rendered the web purely using its own legacy, black-box architecture. Things only started to change when Microsoft introduced dual rendering along with greater standards compliance in IE8 and then brand-new rendering engine in IE9.

IE6 used Microsoft's Trident rendering engine, optimised in a typically Microsoft way to play Microsoft's Active X framework for the web, which updated the company's existing COM and OLE diagramming software.

Only since IE9 has Microsoft improved Trident significantly to support more web standards. With IE9, Redmond also introduced a new JScript engine called Chakra - Jscript is Microsoft's implementation of the ECMAscript standard - which significantly speeds up Javascript processing times in recent versions of IE.

During this time, Microsoft has kept people safely ensconced on the proprietary stack by feeding out the support pipeline. While that's been in place, there's been no reason to change. Until now. Or rather, next April, when security support finishes.

If - and when - you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants

You've got to have standards

When Windows XP is swept into the dustbin of computing history, there's an excellent argument for writing apps that conform to web standards rather than the browser du jour.

Out on the web, this lesson was learned the hard way when IE6 lost market share and websites that required it were forced to change to web standards. These days websites and web apps are developed against web standards and will work in any browser that supports those standards.

If you've got legacy apps that require IE6, here's the good news: if – and when – you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants. Once you've written apps to industry-standards versions of HTML CSS and Javascript, the apps should run on most browsers tanks to their use of standards-compliant rendering engines.

If IE is still your cup of tea, IE9 gives you a more standards-like view of the web. That's when Microsoft deployed its Chakra rendering engine, the manifestation of the company's near Saul-like embrace of web standards in its browser.

Firefox uses the Gecko rendering engine, a community project under an open-source licence. until quite recently, Google's Chrome browser used the WebKit engine under a BSD and GNU LGP licence. But now – along with other Chromium-based browsers like Opera – it has moved to its own WebKit fork, Blink. The difference – theoretically – between these is speed, with the race of recent years being to render one's browser in the shortest space of time.

The reality is, the degree of difficulty you'll experience in converting your apps to work in modern browsers will – as ever – vary. If your app just uses non-standard CSS and consequently renders poorly in modern browsers, it likely won't be too hard to update it.

Choosing a cloud hosting partner with confidence

Next page: The ActiveX factor

More from The Register

next story
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
Google opens Inbox – email for people too stupid to use email
Print this article out and give it to someone techy if you get stuck
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story


Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.