Posted on May 8, 2019
From the likes of our Chief Research Officer, Alexander Heid.
The announcement by Microsoft that the Edge web browser is moving to the Chromium engine is quite significant, and indicates that Microsoft has embraced the concept of open source software and will likely leverage open source code in the future for additional major development projects. The shift also indicates the full retirement of the antiquated and vulnerable Internet Explorer web browser. The use of Internet Explorer by the average personal computer user has pretty much vanished, as Microsoft no longer includes the software within new versions of Windows. However, the use of Internet Explorer legacy software is still quite common within the enterprise environment as there are many older applications that require the use of IE or related plugins.
In these latest releases, Microsoft appears to have created an 'IE View Mode' whereby users of the Edge browser can interface with legacy applications that require IE browsers. This appears to be available in order to provide backwards compatibility to enterprise customers - the documentation released by Microsoft last month talks about the 'Enterprise Mode': https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility
It will be interesting to see how the backwards comparability features play out in the wild as they relate to the use of client side browser exploits and other legacy/enterprise software client side attack vectors. While it can be presumed that many of the common exploitable vectors in IE are now gone due to the use of the Chromium engine - it is always possible (and likely) that new vulnerabilities will emerge that did not previously exist, and attack methods will evolve to make use of these new features in ways that were not intended or anticipated during development. Backwards compatibility is oftentimes a vector that allows for exploitation of 'updated' software.
For more on the topic: https://www.verdict.co.uk/microsoft-build-internet-explorer-edge/
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen. The right vendor risk assessment template can be crafted to assure compliance with regulatory requirements.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.