An emergency security patch has been announced by Microsoft to address the zero-day flaw discovered in Internet Explorer last weekend.The high-profile vulnerability, affecting Internet Explorer versions 6 and above, allows remote code execution via a maliciously designed website. Microsoft said that the "update is fully tested and ready for release for all affected versions of the browser," and that for most users who have automatic updates enabled, no action will be needed as the patch will be downloaded and installed automatically.
Microsoft also decided to issue a security update for Window XP, despite announcing end of support including development and further security for the 13 year old OS as of 8th April 2014. This shows the seriousness of the flaw, and that it is already being exploited in targeted attacks.
Researchers at FireEye reported on Thursday that attacks against IE8 on Windows XP have started to emerge. "Today, FireEye Labs can reveal a newly uncovered version of the attack that specifically targets out-of-life Windows XP machines running IE 8. This means that live attacks exploiting CVE-2014-1776 are now occurring against users of IE 8 through 11 and Windows XP, 7 and 8."
The U.S. Department of Homeland Security is also advising users to stop using IE until the browser is fixed, and they have a good reason to give this advice; "We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting. In addition to previously observed attacks against the Defence and Financial sectors, organization in the Government- and Energy-sector are now also facing attack," the researchers wrote.
However, regardless of the update, Microsoft is still strongly advising XP users, which still account for over 26 per cent of computer netizens, to upgrade to newer versions of Windows OS. "Just because this update is out now doesn’t mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer," wrote Adrienne Hall, General Manager, Trustworthy Computing on the Microsoft Technet Blog.