"Internet Explorer Now Retired but Still an Attacker Target"

On June 15, Microsoft officially ended support for the Internet Explorer (IE) 11 desktop application, putting an end to a browser that has been around for nearly 27 years. However, IE will continue to be a tempting target for attackers because some organizations are still using it despite Microsoft's long-known plans to deprecate the technology. Meanwhile, Microsoft has kept the MSHTML (aka Trident) IE browser engine in Windows 11 until 2029, allowing enterprises to run in IE mode while transitioning to the Microsoft Edge browser. IE is not dead yet, and neither are the threats to it. On Windows 10, Microsoft Edge has officially replaced the IE 11 desktop app, but as the MSHTML engine remains a part of the Windows operating system until 2029, enterprises are vulnerable to browser engine vulnerabilities even if they no longer use IE. According to Maddie Stone, a security researcher at Google's Project Zero bug-hunting team, IE has contained a number of zero-day vulnerabilities in recent years, despite its decreasing use. For example, the Project Zero team monitored four zero-days in IE last year, the most since 2016, when the same number of zero-days were detected in the browser. Three of the four zero-day vulnerabilities discovered last year (CVE-2021-26411, CVE-2021-33742, and CVE-2021-40444) targeted MSHTML and were attacked via techniques other than the Web. This article continues to discuss why IE is still an attractive target for attackers.

Dark Reading reports "Internet Explorer Now Retired but Still an Attacker Target"