Feeds

The legacy IE survivor's guide: Firefox, Chrome... more IE?

Ask yourself, how many times do you want to rewrite?

Secure remote control for conventional and virtual desktops

Windows XP and IE6 users will be thrown to the wolves on 9 April, 2014. That's when Microsoft finally – after more than a decade – stops releasing security updates for operating system and browser.

Twelve years after it was released, IE6, Microsoft legacy web browser, refuses to die, with usage ranging from 0.2 per cent market share in the US and 0.5 per cent in the UK up to a whopping 22 per cent in China. Britain's taxman, HMRC was, until recently, running IE6 on 85,000 Windows XP PCs.

That's despite five browsers since it was released, two of those compatible with Windows XP with application of the appropriate service packs – SPs 2 and 3 at least give you IE7 and IE8.

Those on IE7 and IE8 are relatively safe – until support for these browsers' release operating system, Windows Vista, expires on 11 April, 2017. But, beware: even now, IE7 and IE8 are in Microsoft's "extended support mode" – same as IE6. Extended support means you get the security fixes – for now.

It's time to stop ignoring the IE6 deadline or procrastinating, browser peeps. It might not seem like the end of security updates would be that big of a deal for IE6 - after all, it's been nearly 15 years now, haven't attackers found all the vulnerabilities out there already? And just because you've got three to four more years doesn't mean IE7 and IE8 people shouldn't pay attention, too.

A blueprint for attackers

The problem on IE6 is, even if that were true – and it's not – Microsoft will continue to issue security updates for Windows Vista, Windows 7 and Windows 8, which means attackers have a script to work from when going after Windows XP.

As Tim Rains, Microsoft's Director of Trustworthy Computing, wrote in a blog post earlier this year: "The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities."

HMRC

HMRC: Ran IE6 on 85,000 PCs

In other words, every security update Microsoft releases after April 2014 will serve as a blueprint for how to attack Windows XP. Windows XP won't necessarily be vulnerable to them all, but all it takes is one.

If you've long since left Windows XP behind, you may wonder why others have stuck with it for so long. The answer, particularly in the enterprise sector, is software. Legacy software that would be too expensive, or, in some cases, very time consuming to re-write keeps many a business soldier on with XP.

Much of that software happens to be browser-based – intranet apps written specifically for Internet Explorer 6, Widows XP's default browser.

The problems for IE6 holdouts – even those on IE7 and IE8 – are problems of history and standards. IE6 in particular landed big style on a lot of desktops becoming a corporate standard because businesses upgraded as part of an IT infrastructure modernisation stimulated by Y2K spending.

The longer they've stayed, the more they've been left behind by the web. Moving to IE7 and IE8 hasn't helped, either. That's because, pretty much, pre-IE9 Microsoft was not standards-compliant and rendered the web purely using its own legacy, black-box architecture. Things only started to change when Microsoft introduced dual rendering along with greater standards compliance in IE8 and then brand-new rendering engine in IE9.

IE6 used Microsoft's Trident rendering engine, optimised in a typically Microsoft way to play Microsoft's Active X framework for the web, which updated the company's existing COM and OLE diagramming software.

Only since IE9 has Microsoft improved Trident significantly to support more web standards. With IE9, Redmond also introduced a new JScript engine called Chakra - Jscript is Microsoft's implementation of the ECMAscript standard - which significantly speeds up Javascript processing times in recent versions of IE.

During this time, Microsoft has kept people safely ensconced on the proprietary stack by feeding out the support pipeline. While that's been in place, there's been no reason to change. Until now. Or rather, next April, when security support finishes.

If - and when - you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants

You've got to have standards

When Windows XP is swept into the dustbin of computing history, there's an excellent argument for writing apps that conform to web standards rather than the browser du jour.

Out on the web, this lesson was learned the hard way when IE6 lost market share and websites that required it were forced to change to web standards. These days websites and web apps are developed against web standards and will work in any browser that supports those standards.

If you've got legacy apps that require IE6, here's the good news: if – and when – you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants. Once you've written apps to industry-standards versions of HTML CSS and Javascript, the apps should run on most browsers tanks to their use of standards-compliant rendering engines.

If IE is still your cup of tea, IE9 gives you a more standards-like view of the web. That's when Microsoft deployed its Chakra rendering engine, the manifestation of the company's near Saul-like embrace of web standards in its browser.

Firefox uses the Gecko rendering engine, a community project under an open-source licence. until quite recently, Google's Chrome browser used the WebKit engine under a BSD and GNU LGP licence. But now – along with other Chromium-based browsers like Opera – it has moved to its own WebKit fork, Blink. The difference – theoretically – between these is speed, with the race of recent years being to render one's browser in the shortest space of time.

The reality is, the degree of difficulty you'll experience in converting your apps to work in modern browsers will – as ever – vary. If your app just uses non-standard CSS and consequently renders poorly in modern browsers, it likely won't be too hard to update it.

Security for virtualized datacentres

Next page: The ActiveX factor

More from The Register

next story
Microsoft WINDOWS 10: Seven ATE Nine. Or Eight did really
Windows NEIN skipped, tech preview due out on Wednesday
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
'Google is NOT the gatekeeper to the web, as some claim'
Plus: 'Pretty sure iOS 8.0.2 will just turn the iPhone into a fax machine'
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.