Don’t put your users at risk and stop supporting the legacy, insecure versions of Internet Explorer. Even if your stats suggest otherwise.
The article was updated on 4/20/2017 to reflect Windows Vista end of support.
On January 12, 2016 Microsoft announced end of support for IE10, IE9, and IE8 on Windows 7, Windows 8.1, and Windows 10. Internet Explorer 11 is now the last version of Internet Explorer on these platforms which will continue to receive security updates, compatibility fixes, and technical support.
It doesn’t mean that all legacy IE versions were officially gone in 2016. For example, IE9 on Windows Vista SP2 or IE10 on Windows Server 2012 still got updates. In the case of IE9 it was until the end of Vista’s life on April 11, 2017.
Take a look at the following table showing which versions are available on which OS and if they will receive updates and security fixes:
|Windows XP||No||N/A||N/A||N/A||N/A||No **||Yes ***||Yes|
|Windows Vista SP2||No||No *||N/A||N/A||N/A||No **||Yes ***||Yes|
|Windows Server 2012||N/A||N/A||Yes||Yes||N/A||Yes||Yes||Yes|
* ended on April 11, 2017
** ended in April 2016
*** until September 2017
Don’t encourage risky behaviour
In general it’s thought that if a browser has more than 1% share in your statistics, you should support it in some form. However, in the case of the old IE versions we need to look at that in context:
Don’t we encourage risky behaviour by our users if we support insecure browsers?
In fact, it’s highly probable that nine recently fixed vulnerabilities in Internet Explorer also exist in IE7 and IE8, and in IE9 and IE10 on Windows editions ineligible for patching. As Gregg Keizer states in the above article:
The danger with known, but unpatched vulnerabilities is significant: Cyber criminals regularly parse updates and compare “before” and “after” code to determine what was changed.
In this case, the vulnerability found in, say, IE9 on Vista — which was patched this week — may give them insight into the location of the bug in the older IE8. From there, they can create an exploit for the unpatched browser.
So what should you do?
Even if a relevant number of your users still use legacy IE browsers, do not support them. If your site breaks in IE10, IE9 or IE8, let it break and force users to look for safer alternatives.
What about those users which might be using the old but patched IE versions?
IE9 users on Windows Vista SP2
Windows Vista SP2 lifecycle ended on April 11, 2017, so it was still possible that some of your users used a patched version of this browser in 2016.
I don’t think this was a reason to fix your site in IE9 either. You could use conditional comments and display message recommending Firefox or Opera to them. Be aware that Chrome will stop support for Vista in April 2016 so it won’t be a safe alternative anymore.
IE on Windows Servers 2008 and 2012
Don’t do anything here. Window Servers are most likely used by power users who use modern alternatives for their browsing or realize the consequences of using legacy browsers.
For further details on browsers supported on Windows Servers and Windows Embedded Operating Systems check this page.
Easier web development
Once you stop worrying about legacy IE versions, your web development will be easier and more cost effective.
Differences in supported features between IE10 and IE11 (which you still need to support) are not great, but the benefits are bigger if you drop IE9 and IE8 support. Not to mention you’ll have fewer browsers to test in.