Microsoft Corp. is issuing an emergency update to Internet Explorer today, aiming to patch a vulnerability found Apr. 26 – and it’s also releasing this update for Windows XP, despite ending support for the 13-year-old operating system on Apr. 8.
The vulnerability, given the name CVE-2014-1776, can give hackers the same rights to a computer as its current user. For example, if an administrator was using the machine and then visited a malicious site, a hacker could infect it and install programs like malware, change passwords, create accounts, and steal data. The vulnerability affects Internet Explorer 6 to Internet Explorer 11.
As most of its customers already have automatic updates enabled, they won’t have to do anything extra, but Microsoft is urging anyone who is updating manually to download and install the patch as soon as possible.
With Microsoft long announcing it would no longer be supporting Windows XP, it’s surprising to see the company backpedaling on that and issuing a patch, says Karl Sigler, threat intelligence manager at Trustwave Holdings Inc.
“I’m surprised, to be honest. Microsoft is in a pretty tight spot. We’ve known that the sunset [date] for Windows XP has been coming for three years. Despite that, despite everybody in the industry talking about the security benefits of Windows 7, nobody’s really moving from XP. If it’s not broken, they’re not going to fix it,” he says, noting many companies are still running the legacy operating system on their machines, making this a serious vulnerability.
Sigler adds Microsoft will be releasing a scheduled patch on May 13, but he doubts Microsoft will be including Windows XP in that particular update.
“They could surprise us all, but given how long a lead time and how much they’ve been banging the drum on the death of XP, I really think this will be the last patch, and it’s going to leave a lot of people vulnerable.”
In a blog post, Adrienne Hall, general manager of Trustworthy Computing at Microsoft, said the company decided to release the XP patch because the operating system’s end-of-support date was so recent.
“We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown,” she wrote.
“The reality is that the threats we face today from a security standpoint have really outpaced the ability to protect those customers using an operating system that dates back over a decade. This is why we’ve been encouraging Windows XP customers to upgrade to a modern, more secure operating system like Windows 7 or Windows 8.1.”
Hackers have already taken advantage of the vulnerability, with the first news of an attack coming from FireEye Inc. On Saturday, the security firm wrote a blog post saying it had found a campaign called “Operation Clandestine Fox,” a zero-day attack that affects Internet Explorer versions 9 through 11.
The U.S. Department of Homeland Security also issued an advisory about the vulnerability on Apr. 28, recommending that Windows XP users switch to a different browser until a patch was issued.
The news of Microsoft’s patch comes on the heels of other headlines on recently exploited vulnerabilities. On Apr. 28, Adobe Systems Inc. announced it was issuing a patch for Flash Player, after attacks started coming from a website run by the Syrian Ministry of Justice and taken over by hackers.
And earlier this month, stories on the Heartbleed vulnerability garnered international attention, as news broke that hackers could leverage the flaw to read encrypted data from the Web, email, instant messaging, and on some virtual private networks.
“[Zero-day attacks are] the hardest problem in security … If you don’t know what the vulnerability is, you really don’t know what to look for,” Sigler says.
He recommends that businesses protect themselves by having strong layers of security, like ensuring their anti-malware solutions are up to date. They should also use technologies like network intrusion detection, web filtering, and they need to train their employees know how to identify phishing schemes and other potential attacks.
And if an attack does occur and a machine gets compromised, users should have backups of their data in case they need to wipe their machines, he adds.