This week Microsoft finally took a step that's been years in the making: The company said it will retire its embattled Internet Explorer web browser on June 15, 2022. IE launched in 1995 and came preinstalled on every Windows device for almost 20 years beginning in 1997. But its ubiquity should not be confused with popularity. IE had speed, reliability, and performance issues, not to mention an endless parade of deeply problematic security issues.
“Yet another security-related browser bug has been uncovered, the sixth to affect Microsoft Internet Explorer this month,” WIRED wrote in March 1997. It's not just that IE had bugs, though. Its sorry reputation came from Microsoft's practice of bundling IE into its operating system while simultaneously flouting best practices for browser development and then failing to promote and distribute patches quickly. Even recently, when browsers like Chrome were receiving updates as needed, Microsoft updated IE only about once a month.
IE has long since fallen out of favor. Microsoft has spent five years cutting off support for various versions. But as of November, the browser was still the fourth-most-popular for desktops, with 5.2 percent market share, ahead of Apple's Safari, according to data from the web analytics firm NetMarketShare. And attackers are still actively targeting the sliver of IE devices that remain. That's why Microsoft will need to move even more users away over the next year. And those who remain after that will stay exposed long term.
“In recent years we continue to see exploit kits targeting vulnerabilities in Internet Explorer via malvertising campaigns," says Cedric Owens, a longtime security researcher and red team leader. "This then leads to Windows hosts being compromised with ransomware or malware that steals information. Microsoft moving away from Internet Explorer is a good thing.”
Microsoft has been trying to nudge its users toward Edge, the IE replacement that debuted in Windows 10, since 2015. It did so again this week. “If Internet Explorer has been your go-to for years, Microsoft Edge can now be your trusted web companion,” Microsoft Edge program manager Sean Lyndersay wrote in a blog post on Wednesday announcing IE's end-of-life plan.
But like several other pervasive late-1990s and early 2000s Microsoft products, Internet Explorer has taken a long time to die.
If you remember the long farewell to Windows XP, a project that is still very much ongoing, you've had a preview of what will likely happen with Internet Explorer. Microsoft 365 and other apps will end support for all versions of IE on August 17, and Internet Explorer 11 will fully retire a little more than a year from now. But even then, versions of Internet Explorer will linger on computers that don't receive updates, potentially including those in manufacturing and critical infrastructure settings. And a fraction of a percent is still a lot of devices when there are billions of Windows machines out there.
“While most of the vulnerabilities date back several years, users probably won’t stop relying on Internet Explorer, even when it’s officially killed by Microsoft," says Ryan Kalember, executive vice president of cybersecurity strategy at the enterprise security firm Proofpoint. "Significantly reducing risk will require active removal similar to what occurred recently with Flash, but we anticipate threat actors will continue to evolve their tactics as they target Microsoft users."
Plus, as with Windows XP's prolonged swan song, Microsoft actually will continue to support some versions of IE for a little longer. Server Internet Explorer 11 won't lose support next year, nor will the IE that's in Microsoft's Windows 10 enterprise LTSC program (Long-Term Servicing Channel).
To deal with legacy websites that were purpose-built to IE's specifications years ago, Microsoft has an IE mode in Edge that can still load the pages. Overall, though, the average web user shouldn't encounter major issues, or any issues really, switching to any current browser. But old habits die hard, and Internet Explorer will likely haunt the recesses of the web for a while longer.