Microsoft extends Internet Explorer 8 desktop lifeline to upgrade laggards

It's just like the XP saga all over again

By Gavin Clarke


Exclusive Don’t worry if you miss Microsoft’s January deadline to dump “legacy” versions of Windows and Internet Explorer. MS has a New Year's treat in store for you.

Microsoft has quietly begun offering Custom Support Agreements (CSAs) to those running old combinations of its browser and client after January 12, 2016.

The Register has learned of one very large manufacturer running nearly 100,000 PCs who has signed a CSA with Microsoft. The firm, who sources didn’t want to name but who know it intimately, is running a desktop combination of Windows 8.1 and IE 8.

Unfortunately, Microsoft will stop providing any and all security updates for IE8 on Windows 8.1 after January 12. To receive updates, patches and fixes will continue you’ll need a CSA – meaning dedicated Microsoft engineers.

Without a CSA, organisations running the browser and client combo after January 12 are on their own should new vulnerabilities or malware appear. Other browsers that will stop receiving support from Microsoft will be IE9 and IE10 on Windows 7 SP1.

Of its legacy desktop stack, Microsoft said last year it would only support IE9 on Vista SP2, 11 on Windows 7 SPE 1 and Windows 8.1.

According to the software giant’s stated policy after January 2016: “Only the most recent version of Internet explorer available for a supported operating system will receive technical support and security updates.”

A Microsoft spokesperson told The Register about the new CSAs: “We will continue to provide technical support and security updates for the most current version of Internet Explorer available for supported versions of Windows. If customers have a technical or business issue that prevents upgrading, we encourage them to reach out to their Microsoft account team or Microsoft partner.”

Until now, Microsoft has refused to talk about CSAs for the legacy client stack.

Microsoft announced the end-of-support date in April 2014, but in September this year The Reg reported many would miss the January date.

According to Gartner, the scale of the problem is bigger than Windows XP – Microsoft also stopped providing security updates for that client in April 2014.

Microsoft faced exactly the same situation on that Windows XP end-of-life, as customers tried and failed to hit the April cut-off date. Eventually, the software giant was forced to offer CSAs to those who would miss the end-of-support date.

Microsoft negotiated a special volume deal for the UK government because so many Whitehall and public sector bodies would overshoot.

CSAs are made deliberately expensive by Microsoft, as it doesn’t want to be stuck permanently supporting legacy software. Agreements for Windows XP were priced at $200 per desktop for year one, $400 for year two and $800 for a third year.

The irony of this deadline is that many who moved from Windows XP and running IE6 moved their browser at least to IE8, because it offered the path of least resistance in terms of re-writing applications and software portability.

Now, those who upgraded to IE8 must be shot of the browser no more than two years later. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Hot fuzz: Bug detectives whip up smarter version of classic AFL fuzzer to hunt code vulnerabilities

Flaw-spotting toolkit already has 42 zero-days to its name

Hey, you know what a popular medical record system doesn't need? 23 security vulnerabilities

Get patching after team gets under the skin of OpenEMR

New era for Japan, familiar problems: Microsoft withdraws crash-tastic patches

Upcoming calendar change more than Office can handle

VoIP bods Fuze defuse triple whammy of portal security vulnerabilities

Researchers using the service found a bunch of flaws

It's November 2018, and Microsoft's super-secure Edge browser can be pwned eight different ways by a web page

Look, we're tired of doing these headlines too, but there's patching to do

Beware the IDEs of Android: three biggies have vulnerabilities

Android Studio, Eclipse, and IntelliJ IDEA stabbed in the back by an XML parser

It's October 2018, and Microsoft Exchange can be pwned by a plucky eight-year-old... bug

Redmond goes retro in latest Patch Tuesday bundle

Most vulnerabilities first blabbed about online or on the dark web

Official bug notice? Sure, but not before I get cred and LOLs

White-box security webcam scatters vulnerabilities through multiple OEMs

Hands up anyone who tests what they stick their labels on. Anyone? We thought not

Microsoft to hackers: Finding Hyper-V bugs is hard. Change my mind. PS: Here's a head start...

Black Hat Prove us wrong, kids, and bag $250,000