Microsoft announces emergency patch for IE's zero-day flaw

by Mark Tyson on 2 May 2014, 09:15

Tags: Windows XP, Internet Explorer, PC

Quick Link: HEXUS.net/qacdxj

Add to My Vault: x

An emergency security patch has been announced by Microsoft to address the zero-day flaw discovered in Internet Explorer last weekend.The high-profile vulnerability, affecting Internet Explorer versions 6 and above, allows remote code execution via a maliciously designed website. Microsoft said that the "update is fully tested and ready for release for all affected versions of the browser," and that for most users who have automatic updates enabled, no action will be needed as the patch will be downloaded and installed automatically.

Microsoft also decided to issue a security update for Window XP, despite announcing end of support including development and further security for the 13 year old OS as of 8th April 2014. This shows the seriousness of the flaw, and that it is already being exploited in targeted attacks.

Researchers at FireEye reported on Thursday that attacks against IE8 on Windows XP have started to emerge. "Today, FireEye Labs can reveal a newly uncovered version of the attack that specifically targets out-of-life Windows XP machines running IE 8. This means that live attacks exploiting CVE-2014-1776 are now occurring against users of IE 8 through 11 and Windows XP, 7 and 8." 

The U.S. Department of Homeland Security is also advising users to stop using IE until the browser is fixed, and they have a good reason to give this advice; "We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting. In addition to previously observed attacks against the Defence and Financial sectors, organization in the Government- and Energy-sector are now also facing attack," the researchers wrote.

However, regardless of the update, Microsoft is still strongly advising XP users, which still account for over 26 per cent of computer netizens, to upgrade to newer versions of Windows OS. "Just because this update is out now doesn’t mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer," wrote Adrienne Hall, General Manager, Trustworthy Computing on the Microsoft Technet Blog.

HEXUS Forums :: 30 Comments

Login with Forum Account

Don't have an account? Register today!
Posted by Corky34 - Fri 02 May 2014 09:29
XP the OS that just wont die, personally i would have left the flaw in XP unpatched.
It's not like people who still want to use XP couldn't use another browser, or shock horror actually upgrade.
Posted by CK_1985 - Fri 02 May 2014 09:47
Might seem like the obvious answer is to stop patching XP, but it's not that simple unfortunately. Microsoft have got numerous major organisations (various national governments, the NHS etc) paying them to keep XP patched because those organisations are too big to change. So Microsoft have got to produce the patches for their paying customers anyway, and then what are they going to do? NOT give them to anyone else?? They'd never get away with that!
Posted by crossy - Fri 02 May 2014 09:49
Corky34
XP the OS that just wont die, personally i would have left the flaw in XP unpatched.
… in that case I'm glad you're not in charge then! Apart from anything else, as the article says that there's still 26% of folk using it - do we really want to give the scummy blackhats that large a target to aim for? Don't forget that - as I was reminded recently - a pwned system can still be used for DDoS and spamming attacks on systems that don't have the flaw. Perhaps the old cliché about standing together or hanging separately applies?
Corky34
It's not like people who still want to use XP couldn't use another browser, or shock horror actually upgrade.
Actually I thought the same - apart from anything else I find using IE to be a poor experience compared to Chrome or Firefox. However I've come across some discussion that the “broken” bit is one of those components that the OS can also use, so just avoiding IE use (easy) isn't necessarily a guaranteed fix. If this is true it kind of rams home why bolting your web browser deep into the OS is a bad idea.

I've got XP for a test virtual machine - mainly because I had a spare license and Windows 7 was more resource intensive plus the licensing terms weren't as “compatible”. So I'll be firing that VM up shortly to see if I can get the fix.

I'll leave it to Saracen to explain why some people don't want to be bullied into upgrades, especially if that “upgrade” is to Windows 8.
Posted by shaithis - Fri 02 May 2014 10:05
It isn't really bullying…..it's a completely justified business practice. Microsoft already support their products way beyond the point the most others do.
Posted by Saracen - Fri 02 May 2014 10:18
crossy


I'll leave it to Saracen to explain why some people don't want to be bullied into upgrades, especially if that “upgrade” is to Windows 8.
Well, one reason is where XP is running, quite happily, on a machine that just won't run W7 or W8. So, “shock horror actually upgrade” means shock, horror, buying a whole new machine.

I have XP running on a 550Mhz dual-Pentium 2 machine with 256MB of RAM. Good luck running W7 on that. In fact, it wouldn't even fit on the HD in that machine.

Another machine is driving a specific piece of hardware, for which drivers later than XP don't exist. If I “shock horror just upgrade” I also have to find a replacement for that hardware, which by the way, works perfectly. So now, I'm buying a whoke new PC, and replacing that hardware, just to upgrade XP? Erm, no.

I have another machine with a database package running on it. Again, that database doesn't have a later version, because the company moved out of that product line. So, I have about 20 years of data in a customised (by me) database program which runs a central part of my business admin. I could probably find a new package to sort-of do what that package does, but it would take a lot of my time and effort, and even more to transfer history data from that old machine. And I find that history data very useful, so I either have to keep it on an old, XP machine and run something else going forward, ending up with split data, or I have to spend a LOT of time and effort identifying a new package, checking suitability and then writing all the customisations.

What I don't care about, though, is MS providing a patch for this, or any other, flaw. My XP machines, quite deliberately, don't have any internet connection, because nothing I do on them needs one. The only way they get security-compromised is where someone gets physical access.

That won't be true for all users, though. I'm probably the exception, not the rule. And, when we bought XP, it's supposed to be fit for purpose. If there's a serious security flaw like this, then I'd say there's a duty to patch it, in order to supply what we all paid for in the first place.

At it's simplest, if someone has an XP machine and they're happy that it does everything they want of it, which may be nothing more than sending and receiving a few mails and doing some online shopping, why be forced to upgrade. An old lady I know does exactly that, and it's all she does. She's in her 90's, on a very limited income, and she has to buy a new machine in order to run W7 or W8 in order to be able to send and receive a few mails and buy a few bits and bobs using online shopping? I don't think so.

SEE NEWER »