Security concerns raised over Redmond’s efforts to support legacy web apps
Microsoft has reversed its stance on support for out-of-date browsers and unveiled plans to release an Internet Explorer Mode for Edge. The move, made in response to its customer demands, will be a disaster for security, critics warn.
The next version of Edge will support functionality on Internet Explorer through a single browser, offering “the best of both worlds”, the tech giant said.
While Microsoft has continuously urged its customers to stop using legacy browsers like Internet Explorer – a practice that stores up “technical debt” – ongoing demand from enterprise has prompted Microsoft to abandon any immediate attempt to force organizations to revamp their intranets and improve their web security practices.
“Internet Explorer Mode, or IE Mode for short, provides compatibility for legacy websites, so that Microsoft Edge with IE Mode now has compatibility for modern websites when using the Chromium Engine and compatibility for legacy web apps using IE Mode,” said Fred Pullen, principle program manager at the Microsoft Edge team.
In a presentation posted on YouTube earlier this week, Pullen explained how Microsoft had previously offered Edge compatibility with older versions of Internet Explorer through various binary extensions that supported legacy web apps.
This support now comes built in to Edge, ironing out any bumps in the road while adding a tariff.
“Having all these doc modes means you have a much bigger attack surface than you would if you were running a modern browser without backward compatibility,” Pullen admitted.
An Enterprise Mode Site List was released in 2018 so that users with Edge as their default browser could automatically launch IE11 for any legacy sites or apps that were needed.
“By introducing Internet Explorer Mode we’re effectively blurring the lines between the browsers,” Pullen said.
“If I encounter a site that requires backward compatibility in IE11, and it is on your Enterprise mode site list, or on your intranet, it will automatically render the site in the Microsoft Edge frame.”
Edge features a changed Chromium browser engine under the hood while adapting the technology for backward compatibility with sites only capable of working with IE.
This may sound like a gift to anyone that uses dated apps, but some independent experts are less than certain this should be “the next chapter in web browsing”, as Microsoft has put it.
Promised security improvements that come with the shift over to Chromium, for instance, may eventually feel pointless if a user whitelists a site that only works on a legacy browser (and one which is generally more susceptible to exploits).
Ivan Fratric, a security researcher at Google Project Zero, made note on Twitter of various examples when whitelists, equivalent to the Enterprise Mode Site List, have been abused.
Microsoft’s decision last year to disable Flash in Edge by default was a good example, he said, where some sites were listed in an obfuscated format and thus could enable attackers to bypass security checks.
“But surely, this time it is going to be different,” Fratic added.
“This time it is going to be done right and there will be no way to abuse the whitelists or escape the Intranet zone. Surely.”
The Daily Swig has reached out to Microsoft for comment.