Windows XP and IE6 users will be thrown to the wolves on 9 April, 2014. That's when Microsoft finally – after more than a decade – stops releasing security updates for operating system and browser.

Twelve years after it was released, IE6, Microsoft legacy web browser, refuses to die, with usage ranging from 0.2 per cent market share in the US and 0.5 per cent in the UK up to a whopping 22 per cent in China. Britain's taxman, HMRC was, until recently, running IE6 on 85,000 Windows XP PCs.

That's despite five browsers since it was released, two of those compatible with Windows XP with application of the appropriate service packs – SPs 2 and 3 at least give you IE7 and IE8.

Those on IE7 and IE8 are relatively safe – until support for these browsers' release operating system, Windows Vista, expires on 11 April, 2017. But, beware: even now, IE7 and IE8 are in Microsoft's "extended support mode" – same as IE6. Extended support means you get the security fixes – for now.

It's time to stop ignoring the IE6 deadline or procrastinating, browser peeps. It might not seem like the end of security updates would be that big of a deal for IE6 - after all, it's been nearly 15 years now, haven't attackers found all the vulnerabilities out there already? And just because you've got three to four more years doesn't mean IE7 and IE8 people shouldn't pay attention, too.

A blueprint for attackers

The problem on IE6 is, even if that were true – and it's not – Microsoft will continue to issue security updates for Windows Vista, Windows 7 and Windows 8, which means attackers have a script to work from when going after Windows XP.

As Tim Rains, Microsoft's Director of Trustworthy Computing, wrote in a blog post earlier this year: "The very first month that Microsoft releases security updates for supported versions of Windows, attackers will reverse-engineer those updates, find the vulnerabilities and test Windows XP to see if it shares those vulnerabilities."

HMRC: Ran IE6 on 85,000 PCs

In other words, every security update Microsoft releases after April 2014 will serve as a blueprint for how to attack Windows XP. Windows XP won't necessarily be vulnerable to them all, but all it takes is one.

If you've long since left Windows XP behind, you may wonder why others have stuck with it for so long. The answer, particularly in the enterprise sector, is software. Legacy software that would be too expensive, or, in some cases, very time consuming to re-write keeps many a business soldier on with XP.

Much of that software happens to be browser-based – intranet apps written specifically for Internet Explorer 6, Widows XP's default browser.

The problems for IE6 holdouts – even those on IE7 and IE8 – are problems of history and standards. IE6 in particular landed big style on a lot of desktops becoming a corporate standard because businesses upgraded as part of an IT infrastructure modernisation stimulated by Y2K spending.

The longer they've stayed, the more they've been left behind by the web. Moving to IE7 and IE8 hasn't helped, either. That's because, pretty much, pre-IE9 Microsoft was not standards-compliant and rendered the web purely using its own legacy, black-box architecture. Things only started to change when Microsoft introduced dual rendering along with greater standards compliance in IE8 and then brand-new rendering engine in IE9.

IE6 used Microsoft's Trident rendering engine, optimised in a typically Microsoft way to play Microsoft's Active X framework for the web, which updated the company's existing COM and OLE diagramming software.

Only since IE9 has Microsoft improved Trident significantly to support more web standards. With IE9, Redmond also introduced a new JScript engine called Chakra - Jscript is Microsoft's implementation of the ECMAscript standard - which significantly speeds up Javascript processing times in recent versions of IE.

During this time, Microsoft has kept people safely ensconced on the proprietary stack by feeding out the support pipeline. While that's been in place, there's been no reason to change. Until now. Or rather, next April, when security support finishes.

If - and when - you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants

You've got to have standards

When Windows XP is swept into the dustbin of computing history, there's an excellent argument for writing apps that conform to web standards rather than the browser du jour.

Out on the web, this lesson was learned the hard way when IE6 lost market share and websites that required it were forced to change to web standards. These days websites and web apps are developed against web standards and will work in any browser that supports those standards.

If you've got legacy apps that require IE6, here's the good news: if – and when – you bite the bullet and rebuild your apps using HTML standards, your IT department will be free to deploy any web browser it wants. Once you've written apps to industry-standards versions of HTML CSS and Javascript, the apps should run on most browsers tanks to their use of standards-compliant rendering engines.

If IE is still your cup of tea, IE9 gives you a more standards-like view of the web. That's when Microsoft deployed its Chakra rendering engine, the manifestation of the company's near Saul-like embrace of web standards in its browser.

Firefox uses the Gecko rendering engine, a community project under an open-source licence. until quite recently, Google's Chrome browser used the WebKit engine under a BSD and GNU LGP licence. But now – along with other Chromium-based browsers like Opera – it has moved to its own WebKit fork, Blink. The difference – theoretically – between these is speed, with the race of recent years being to render one's browser in the shortest space of time.

The reality is, the degree of difficulty you'll experience in converting your apps to work in modern browsers will – as ever – vary. If your app just uses non-standard CSS and consequently renders poorly in modern browsers, it likely won't be too hard to update it.

The ActiveX factor

If, on the other hand, your app relies on tons of ActiveX elements, it's going to be much harder to update it to break out of the Microsoft's view of the world.

While ActiveX made it easy-to-build apps by connecting your code to system code – ie, no need to write a video player, just call the ActiveX control – it also tightly integrated your app with the (now obsolete) system code. Easy at the time, difficult down the road.

What do you do if your company just doesn't have the resources to update a mission-critical app before April 2014? There is one possible stopgap measure that may help, Internet Explorer's Compatibility View that was introduced in IE8.

While the end goal should to be a move away from vendor lock-in to standards-compliant systems, sometimes it's just not possible to do everything at once. To help ease the transition from IE6 to something a bit more modern, you may want to, at least for a time, follow Microsoft's upgrade path. That is, jump from IE6 to IE8 or higher and use Compatibility View to make apps built for IE7 render as IE7 in IE10.

Mozilla: doing good?

The question is how far should you jump? IE9? IE10? Obviously, IE7 and 8 are out. Now IE11 is on the horizon. Fortunately you can narrow that considerably by just bearing in mind that the real key to making your legacy apps work is Compatibility View. In other words, there's no reason not to jump all the way to the latest version, IE10 at the time of writing.

IE10 can emulate IE7 just like IE8, but the rest of the time your employees will be using a much better browser. IE10 is faster, supports more modern web standards and offers a cleaner user interface. IE10 is the best version of IE that Microsoft has ever shipped and if you're going to upgrade, you may as well upgrade all the way to IE10.

To make sure that IE10 still renders your legacy intranet app properly, you'll just need to add a meta tag to your tag to your app's head tag. The Internet Explorer Dev Center has full details on the various ways you can turn on IE10's Compatibility Mode. Probably the simplest is to just add a "X-UA-Compatible" meta tag to your apps' HTML head tags. That will tell IE10 to render the page as IE7 would have.

For some apps this may help, but note that it's emulating IE7, not IE6. None of Microsoft's later releases are capable of rendering as IE6. It really was that bad.

While even rendering as IE7 may not work completely, it should mean a little less work since it shares many of the non-standard behaviours (ActiveX, etc) of IE6 ... and many of its rendering quirks as well. Ideally that means you'd just need to make a few changes to get your legacy apps working in IE10 compatibility mode. There is also an IE5 mode that emulates what's known as "quirks mode" that you can try if IE7 mode just isn't cutting it.

Between these two compatibility modes, most apps should be able to escape the it's-all-going-to-hell-in-April woods. Moving to IE10 for your legacy apps means you can also move to Windows 7, if not all the way to Windows 8. This is not, however, a future-proof solution.

What you want to do is shift platform support. That is: instead of supporting Microsoft, support the web.

What you've done so far is shift browser support. If you would like to move away from not just the dead-end legacy apps it's still dependent on, but the very reason those dead end apps are still around, you might want to kick IE to the curb.

What you want to do is shift platform support. That is, instead of supporting Microsoft, support the web. Build to web standards as defined by the W3C and you're no longer beholden to any one browser or any one company.

Provided you do that, you're free to move away from IE completely. That opens any number of possibilities, though the most enterprise-friendly options are Firefox and Google Chrome.

Mozilla offers an Extended Support Release (ESR) of Firefox aimed at enterprise environments. Each ESR release of Firefox is maintained for approximately one year, with point releases containing security updates coinciding with regular Firefox releases (currently every six weeks). Support is limited to Mozilla Enterprise Working Group mailing list.

Google likes businesses that use 'modern' browsers

For administrators, there's also FirefoxADM, which allows you to manage Firefox through Active Directory, more or less just like you're doing with IE6 now.

While Firefox is a viable option in many, Mozilla has not historically put much effort into the enterprise. ESR would suggest that's changing, but the organisation puts consumers first and change for the enterprise isn't likely isn't likely to come fast.

Google rolling out the carpet for big business browser users

Google Chrome is another option, one that's increasingly attractive to companies thanks to their increasing use of Google Apps – Gmail, Apps, Analytics and App Engine. For many IE shops, Chrome is at least becoming a standard for a second browser.

The catch is, though, Google has built these services to be best used by what it calls "modern browsers" – something Google defines as the latest two versions of Chrome, IE, Firefox and Safari that also support HTML5 without any special tricks. Since August 2011, Google's policy has been for its apps to support the most current version of these browsers plus the one before.

As far as Microsoft shops are concerned, if you're on IE6 you're long out of luck and when it comes to using Google's apps and you should forget IE8, too. Support for IE8 on apps finished on 11 November, 2012. Support for Google Analytics will stop at the end of this year.

There is an option for older apps. Google recently upped the ante for enterprise, offering the Chrome Legacy Browser Support extension. The Chrome Legacy Browser Support extension lets you to upgrade to Google Chrome while still opening your legacy IE apps.

The extension uses an exception list – compiled and maintained by your IT department – of sites that will cause Chrome to open them in what Google calls "legacy" browsers (Google-speak for IE). You can deploy Chrome, your employees can use it 99 per cent of the time and enjoy access to the latest and greatest on the web, but when they need to access an legacy app, Chrome will automatically open IE.

There's a corresponding plugin for IE, as well, so that when your users navigate away from the legacy app they will directed back to Chrome.

If you're on IE6 you're long out of luck – and when it comes to using Google's apps and you should forget IE8, too

The Chrome Legacy Browser Support extension works with IE versions six to 10.

This fits into a picture of making Google working to make Chrome more enterprise-friendly with tools for IT departments to manage large deployments. Google boasts some 150 tools for deploying and controlling Chrome in the enterprise.

Other tools include the update blocker. A headache for many large companies is Chrome's frequent update schedule, with new releases arriving every six weeks. Large organisations need time to test new versions of browsers with their own apps, to make sure there are no breaking changes or security issues and to then fix them. Google's new tools let enterprises turn their update policy to manual. The tradeoff, of course, is that you may miss security updates.

The next few months, even years, are going to be painful for legacy IE shops.

There's really no way to sugar coat it, you're screwed. Even with the get-out-of-jail prospect of moving to browsers that are standards-compliant, the transition will very likely be a bumpy one. Even with tools like Compatibility Mode and the Chrome Legacy Browser Support extension, it will come down to just how far your IE apps are tied into Microsoft's non-standards-based architecture.

That said, this is an opportunity to future-proof your IT infrastructure, whether you stay with IE or not, and avoid a repeat of your current predicament. ®

Speak your brains and pick the lobes of our Windows XP and IE migration experts in an end-of-XP Live Chat, October 11 at 3pm UK time. Joining us will be Avanade UK and Ireland chief technology officer Mark Corley, Browsium co-founder, chief operating officer and president Gary Schare and - following a last minute switch from Camwood - Dave Martin, head of project services for the application portfolio management specialist Camwood. Mark your calendars. The Live Chat starts at 3pm UK time, October 11.

Related stories

• HP signs ex-Microsoft IE crew for global migration fun and games (11 September 2015)

  https://www.theregister.com/2015/09/11/browsium_hp_mega_deal/

• Google: Go ahead, XP stalwarts, keep on using Chrome safely all YEAR (16 April 2015)

  https://www.theregister.com/2015/04/16/chrome_xp_deadline_extended/

• Microsoft: IE11 for Windows Phone 8.1 is TOO GOOD. So we'll cripple it like Safari (1 August 2014)

  https://www.theregister.com/2014/08/01/ie11_nonstandard_feature_support/

• Internet Explorer 11 at it again, breaks Microsoft's own CRM software (6 December 2013)

  https://www.theregister.com/2013/12/06/ie11_breaks_dynamics_crm_online/

• Internet Explorer 11 for Win7 bods: Soz, no HTML5 fun for you (11 November 2013)

  https://www.theregister.com/2013/11/11/ie11_features_not_for_win7/

• Google 'fesses up: Yup, we're KILLING OFF IE9 support for Gmail, Apps (7 November 2013)

  https://www.theregister.com/2013/11/07/google_kills_ie9/

• Not so Saucy after all: Ubuntu reveals Mirless Salamander... and what, no Britney? (18 October 2013)

  https://www.theregister.com/2013/10/18/ubuntu_13_10_final/

• Windows XP folks: At least GOOGLE still loves you ... UNTIL 2015 (16 October 2013)

  https://www.theregister.com/2013/10/16/google_extends_chrome_support_for_windows_xp_users_into_2015/

• Scottish gov follows cutting-edge Italian Post Office with Win 8 trial (11 October 2013)

  https://www.theregister.com/2013/10/11/windows_8_scottish_pilot/

• Hang in there, Internet Explorer peeps: Gaping zero-day fix coming Tues (4 October 2013)

  https://www.theregister.com/2013/10/04/oct_patch_tuesday_ie_0day_fix_due/

• 500 MEELLION PCs still run Windows XP. How did we get here? (1 October 2013)

  https://www.theregister.com/2013/10/01/six_months_end_xp_support/

• Microsoft relents: 'Go ahead, install Windows 8.1 on clean PCs' (17 September 2013)

  https://www.theregister.com/2013/09/17/windows_81_full_version_software/

• Ballmer's emotional farewell to Redmond: I LOVE THIS COMPANY (23 August 2013)

  https://www.theregister.com/2013/08/23/steve_ballmer_memo_to_staff_about_retirement/

• Microsoft Patch Tuesday: The '90s called. It wants its 'Ping of Death' back (14 August 2013)

  https://www.theregister.com/2013/08/14/ms_august_patch_tuesday_2013/

• Win XP alive and kicking despite 2014 kill switch (Don't ask about Win 8) (2 August 2013)

  https://www.theregister.com/2013/08/02/windows_8_v_windows_xp_july_data/

• Happy 20th birthday, Windows NT 3.1: Microsoft's server outrider (1 August 2013)

  https://www.theregister.com/2013/08/01/windows_nt_anniversary/