"And now for something completely different."
-Monty Python's Flying Circus
If you have been in the industry for a while, you have heard the warning, "Internet Explorer (IE) is dead. It is insecure. It has been retired. You must get off Internet Explorer and onto a more modern and secure browser."
I have told you this many times and even scolded a few of you if I find it still active on your servers. It is a security risk to your network.
Microsoft suggested we all migrate to its new favorite browser, the Chromium version of Microsoft Edge. This inevitably led to an ongoing debate about using Google's Chrome browser or Microsoft's Edge version of the Chromium browser.
The debate raged that Microsoft's version had cleaner, better, perhaps more secure code than Google's. Who knows what the truth is on that? My experience has been that they are interoperable, and Edge can use all the Google Chrome browser extensions. Microsoft announced two special features about its version of the Chromium browser:
Microsoft Edge would run all the old Microsoft browser-specific tools like Microsoft Exchange.
If you encounter any old browser interfaces, Microsoft Edge has a built-in Internet Explorer browser compatibility mode.
Since I deal with both issues, I went with Microsoft Edge over Google Chrome.
I keep my browsers updated.
I limit my browser extensions.
I run an ad blocker like the FBI recommends.
I thought life was good - until Wednesday, October 16th.
Then, Microsoft disclosed in their Patch Tuesday release that they were patching an open vulnerability in Internet Explorer that was being actively exploited!
That seemed very odd, as Microsoft does not often patch a long-dead product unless there is a severe security issue that warrants patching discontinued software.
I still didn't understand how it was important to me.
I didn't use IE - or so I thought...
North Korean hackers were putting out fake ads that asked for IE, and then the default setting in Microsoft Edge would gladly automatically accommodate the IE compatibility request, exposing the true IE vulnerability.
Microsoft achieved historical IE compatibility by maintaining at least some portion of IE remnant code inside Microsoft Edge!
The good news is that if you apply the October Microsoft security patches, they patch the vulnerability.
However, I have decided that I no longer desire the default IE compatibility feature to be automatically enabled.
In Microsoft Edge, I went to Settings, Default Browser, and Internet Explorer compatibility and changed the setting from Default to Don't Allow.
I suggest you do the same.
-Scott Quimby, Senior Technical Advisor, CISSP
Acture/CSI
You must be logged in to post a comment.