Microsoft extends Internet Explorer 8 desktop lifeline to upgrade laggards

It's just like the XP saga all over again

By Gavin Clarke


Exclusive Don’t worry if you miss Microsoft’s January deadline to dump “legacy” versions of Windows and Internet Explorer. MS has a New Year's treat in store for you.

Microsoft has quietly begun offering Custom Support Agreements (CSAs) to those running old combinations of its browser and client after January 12, 2016.

The Register has learned of one very large manufacturer running nearly 100,000 PCs who has signed a CSA with Microsoft. The firm, who sources didn’t want to name but who know it intimately, is running a desktop combination of Windows 8.1 and IE 8.

Unfortunately, Microsoft will stop providing any and all security updates for IE8 on Windows 8.1 after January 12. To receive updates, patches and fixes will continue you’ll need a CSA – meaning dedicated Microsoft engineers.

Without a CSA, organisations running the browser and client combo after January 12 are on their own should new vulnerabilities or malware appear. Other browsers that will stop receiving support from Microsoft will be IE9 and IE10 on Windows 7 SP1.

Of its legacy desktop stack, Microsoft said last year it would only support IE9 on Vista SP2, 11 on Windows 7 SPE 1 and Windows 8.1.

According to the software giant’s stated policy after January 2016: “Only the most recent version of Internet explorer available for a supported operating system will receive technical support and security updates.”

A Microsoft spokesperson told The Register about the new CSAs: “We will continue to provide technical support and security updates for the most current version of Internet Explorer available for supported versions of Windows. If customers have a technical or business issue that prevents upgrading, we encourage them to reach out to their Microsoft account team or Microsoft partner.”

Until now, Microsoft has refused to talk about CSAs for the legacy client stack.

Microsoft announced the end-of-support date in April 2014, but in September this year The Reg reported many would miss the January date.

According to Gartner, the scale of the problem is bigger than Windows XP – Microsoft also stopped providing security updates for that client in April 2014.

Microsoft faced exactly the same situation on that Windows XP end-of-life, as customers tried and failed to hit the April cut-off date. Eventually, the software giant was forced to offer CSAs to those who would miss the end-of-support date.

Microsoft negotiated a special volume deal for the UK government because so many Whitehall and public sector bodies would overshoot.

CSAs are made deliberately expensive by Microsoft, as it doesn’t want to be stuck permanently supporting legacy software. Agreements for Windows XP were priced at $200 per desktop for year one, $400 for year two and $800 for a third year.

The irony of this deadline is that many who moved from Windows XP and running IE6 moved their browser at least to IE8, because it offered the path of least resistance in terms of re-writing applications and software portability.

Now, those who upgraded to IE8 must be shot of the browser no more than two years later. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

VoIP bods Fuze defuse triple whammy of portal security vulnerabilities

Researchers using the service found a bunch of flaws

Beware the IDEs of Android: three biggies have vulnerabilities

Android Studio, Eclipse, and IntelliJ IDEA stabbed in the back by an XML parser

Most vulnerabilities first blabbed about online or on the dark web

Official bug notice? Sure, but not before I get cred and LOLs

White-box security webcam scatters vulnerabilities through multiple OEMs

Hands up anyone who tests what they stick their labels on. Anyone? We thought not

Xen Project wants permission to reveal fewer vulnerabilities

Poll Should bugs that don't expose user data be left alone, saving time and effort?

Cisco waves swatter at ten new vulnerabilities

It's 2017, and UPnP is still a critical attack vector

Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

General Electric plays down industrial control plant vulnerabilities

Only a local hacker in a facility would be able to run an attack

Intel, Microsoft, Adobe release a swarm of bug fixes to ruin your week

Massive patch dump with 112 fixes... and that's just for the Photoshop giant

More stuff broken amid Microsoft's efforts to fix Meltdown/Spectre vulns

This is going to take a while