Software // Operating Systems
News
4/28/2014
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft: No IE Patch For Windows XP

Hackers are already exploiting a new Internet Explorer flaw. Microsoft promises a fix -- but not for Windows XP.

Windows XP Game Over: 9 Upgrade Options
Windows XP Game Over: 9 Upgrade Options
(Click image for larger view and slideshow.)

Microsoft confirmed over the weekend that Internet Explorer (IE) versions 6 through 11 are susceptible to a newly discovered vulnerability, and that cyberattackers have already exploited the flaw. The company said it is investigating the bug, and it pledged to release a fix.

Microsoft will release the patch through either its monthly security update or a special out-of-cycle release. Whichever route Microsoft chooses, however, Windows XP users won't benefit. As of this month, the company no longer supports the OS. In March, XP still accounted for more than a quarter of Internet users, according to the web-tracking firm Net Applications.

In a blog post, Microsoft acknowledged that cybercriminals have already exploited the bug, but it said it is aware of only limited targeted attacks. The flaw allows remote code execution if a user visits a malicious website, which means an attacker could theoretically gain the same system privileges as the legitimate user.

[Wondering about your best option to replace WinXP? Read Windows XP Game Over: 9 Upgrade Options.]

"[Simply] looking at booby-trapped content such as a Web page or image file can trick IE into launching executable code sent from outside your network," Paul Ducklin, a researcher with the security vendor Sophos, wrote in a blog post.

In a second post related to the IE flaw, Microsoft detailed two methods to mitigate risk: enabling IE's Enhanced Protected Mode and using the company's Enhanced Mitigation Experience Toolkit (EMET) 4.1 and 5.0 Technical Preview products. Users can also, of course, use a different browser. Microsoft said accounts that are configured to allow fewer user rights could be less vulnerable than those that operate with full administrative rights.

The cybersecurity firm FireEye, which claimed credit for discovering the flaw, endorsed Microsoft's recommended precautions. In a blog post, the company said its testing found EMET versions 4.1 and 5.1 and Enhanced Protected Mode all successfully break or detect the exploit.

Homeland Security says to avoid IE until Microsoft issues a fix -- but even then, Windows XP users will be left in the cold.
(Source: cooling999, deviantart.com)
Homeland Security says to avoid IE until Microsoft issues a fix -- but even then, Windows XP users will be left in the cold.
(Source: cooling999, deviantart.com)

FireEye also noted that the vulnerability relies on Adobe Flash. "Disabling the Flash plugin within IE will prevent the exploit from functioning."

The United States Computer Emergency Readiness Team, a division of the Department of Homeland Security, recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available.

FireEye said it is monitoring a group currently exploiting the flaw. The firm noted that the group has capitalized on zero-days in the past. The attackers are "extremely proficient at lateral movement and are difficult to track, as they do typically do not reuse command and control infrastructure."

The company nicknamed the group's campaign "Operation Clandestine Fire." However, citing the ongoing nature of its investigation, it declined to provide additional details, such as which companies or institutions have been targeted.

Though not as potentially widespread as the Heartbleed vulnerability disclosed this month, the new IE exploit could represent a significant threat. According to Net Applications, the browser family accounts for around a quarter of all Internet users

All versions of IE are affected, including those running on Windows 7, 8, and 8.1. But Windows XP users face the most serious threats. Brian Krebs, the security researcher who first reported last year's Target data breach, said in a blog post, "This is the first of many zero-day attacks and vulnerabilities that will never be fixed for Windows XP users." He noted that many of the exploit mitigation techniques that EMET brings do not work in XP.

Microsoft no longer supports XP, but many third-party security vendors do, which could give some IE-using XP holdouts another option. Ducklin suggested other workarounds, including disabling an IE extension called VGX.DLL, which is believed to be linked to the exploit.

Emerging standards for hybrid clouds and converged datacenters promise to break vendors' proprietary hold. Also in the Lose The Lock-In issue of InformationWeek: The future datacenter will come in a neat package (free registration required).

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
KeithP234
50%
50%
KeithP234,
User Rank: Apprentice
4/28/2014 | 1:48:16 PM
Why does anyone use IE?
Install Chrome / Firefox. Stop using IE. Done. Move on.
Laurianne
0%
100%
Laurianne,
User Rank: Author
4/28/2014 | 1:55:56 PM
Re: Why does anyone use IE?
XP users who hang on because they are resistant to change will also resist changing browsers. Unofficial tech support consultants, your phones will ring this week.
anon3232123117
50%
50%
anon3232123117,
User Rank: Apprentice
4/28/2014 | 2:07:50 PM
Re: Why does anyone use IE?
Indeed. Why is anyone using IE. MS is so legacy.
Gary_EL
IW Pick
50%
50%
Gary_EL,
User Rank: Ninja
4/28/2014 | 2:09:45 PM
Re: Why does anyone use IE?
I have a couple of decidedly non-technical friends who simply won't heed the warnings to get off XP. They think it's all hype to sell new computers and operating systems. Of course, it's only a matter of time until their machines get clobbered by some sort of malware. I wonder what they, and millions like them, will do once the inevitable happens?
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/28/2014 | 4:13:25 PM
Re: Why does anyone use IE?
Exactly. A certain crowd has been saying for months that Windows XP's termination would be no big deal, and that people could basically continue using it. As I've written a few times before, I can understand why some customers feel annoyed that they're being pushed off a usable product. But I've also found the "keep using XP" advice to be at best quixotic, and at worst, irresponsible.

If you're an IT pro who knows how to lock down an XP machine, that's one thing. When people using XP on closed networks say they're not concerned, I believe them. But there are millions of people out there, right now, running both XP and Internet Explorer, without any real awareness of why that combination is a particularly bad thing. It's inevitable that some people who insist on using Windows XP are gonna get burned-- perhaps only a minority of users, but for that minority, the potential damage is pretty bad.

Recently, I spoke with some family friends. They're not tech savvy and had a computer with Windows XP. A friend of theirs who works as a freelance IT consultant told them not worry about it, which I found absolutely insane. These people are fairly affluent and have been targets of identity theft attempts in the past—not broad spectrum, impersonal attacks; the targeted, individual, "attackers know who you are" kind. They're also not very interested in changing their computing behavior. Their situation isn't everyone's-- but I think it's one where a new computer was clearly the best option. Incidentally, they bought a Windows 7 PC.

 
PaulS681
IW Pick
100%
0%
PaulS681,
User Rank: Ninja
4/28/2014 | 7:13:11 PM
Re: Why does anyone use IE?

I wrote an article in my company's newsletter pointing out that XP is not safe to run. I did point out some ways to run it, such as disconnected from the internet, but stressed that if you have an XP machine you should really start thinking about replacing it. I had a few people say I scared them. That wasn't my intent but I couldn't just tell them not to worry, it will be all fine. XP is unlike any other MS OS in that is still widely used in business. That is exactly why it will be a target hor hackers.

Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Author
4/29/2014 | 9:49:25 AM
Re: Why does anyone use IE?
It doesn't take much to get someone to switch browsers: slowness, a security scare, even just one annoying feature. IE has made some big advances in recent versions, but this new vulnerability on the heels of XP's end-of-life will turn a lot of people to Chrome, Firefox or Safari (if they're on a Mac). And once they leave IE, they don't tend to come back.
TerryB
IW Pick
100%
0%
TerryB,
User Rank: Ninja
4/29/2014 | 12:50:03 PM
Re: Why does anyone use IE?
Many of you are regular commentators I recognize and usually agree with. But do all of you really believe that if Chrome, Firefox, etc was the dominant browser for consumers that malware guys would not be finding exploits in those browsers? It reminds me of the people who swear the Mac o/s can't get malware because no one seems to report any incidents.

I'm no defender of Microsoft or IE but let's recognize this for what it is: malware guys have a long history and expertise at attacking MS because of it's dominant market share. It will take awhile before those attacks shift across other o/s and browsers. Or do all you really believe the code in other browsers is perfect?

But I agree this is worst case scenario for XP users. You knew it was matter of time but never thought it would hit this quick. That smart thing for XP users to do is quit using Flash. Unless it's that same Flash game you've been playing forever and you have link right to it. But browsing around to new sites with Flash enabled? Just a matter of time...
TeaPartyCitizen
50%
50%
TeaPartyCitizen,
User Rank: Apprentice
4/29/2014 | 11:17:44 PM
Re: Why does anyone use IE?
@TerryB said "But do all of you really believe that if Chrome, Firefox, etc was the dominant browser for consumers that malware guys would not be finding exploits in those browsers? ⋯ let's recognize this for what it is: malware guys have a long history and expertise at attacking MS because of it's dominant market share."

 

⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰⋱⋰


 

But not using the dominate browser is still the solution !!!  If one had to choose a field to cross and all choices had land mines in them, would you not choose to cross the field which had the least number of land mines in it rather than crossing the one which was most familiar to you but had the most number of land mines in it ???

It scares me how people can have thoughts but these thoughts are totally illogical.
TerryB
50%
50%
TerryB,
User Rank: Ninja
4/30/2014 | 2:26:21 PM
Re: Why does anyone use IE?
@teapartcitizen.  Yeah, just as illogical as cashing your SSN check while aligning your political views against big government.

Dude, we run a business here. We use MS Active Directory, Win 7 computers and free Sharepoint (wss 3.0) variety. Besides the fact IE is already loaded on computers, you ever see what Firefox and Chrome can do to that old wss 3.0 HTML code? If we are going to take time to install Chrome/Firefox on all of our 80 desktops and maintain the life cycle of those, you better believe we will have a good reason.

This isn't it. MS will patch. Switching browsers doesn't guarantee any security. I seen apps, heck I've written apps, which work in one browser perfectly but have some glitch (usually visual) in another. That's the world the browser wars have spawned.

So don't equate your preference for one of these browsers over another as something everyone should do. Like most things, it's just not that simple.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
4/30/2014 | 3:42:32 PM
Re: Why does anyone use IE?
Exactly -- if you're using XP/IE on your home system (and it has the hardware specs to support a newer OS) then I don't have much sympathy. But plenty of companies are locked into this software because of legacy stuff or critical functions that just don't work elsewhere. It's never as simple as moving 500 end users to Linux. Ever.
jgherbert
50%
50%
jgherbert,
User Rank: Ninja
4/30/2014 | 10:46:42 PM
Re: Why does anyone use IE?
I have some sympathy where legacy software means a company is locked into XP. 

Wait, but do I? The end of XP support has been touted for a long time - long enough to investigate and migrate to alternatives. I suspect there are very few apps that can't, for a cost, be replaced with something else. If the companies haven't sorted this out yet, then it sounds like they've got another year's grace because in 12 months, that'll be it - and those legacy systems have just become a huge potential risk to the business.
jgherbert
50%
50%
jgherbert,
User Rank: Ninja
4/30/2014 | 10:56:27 PM
Re: Why does anyone use IE?
@TerryB, you're quite right. Microsoft has done a bang up job of locking people into their software whether by limiting support in other browsers than IE, using ActiveX plugins for functionality, integrating with MS Office, or whatever. If you use all those things, then the experience without doubt is much better than if you were to try the same with Chrome and Openoffice or similar ;-) So you have my sympathies about your WSS3.0 sites.

A previous company I was at designed everything only to work in IE. Why? Because it was standard, they were a MS partner, and it is much easier to make web pages work in a single browser than to work consistently across at least 2 or 3 others as well (which means it's cheaper to develop the sites).
jgherbert
50%
50%
jgherbert,
User Rank: Ninja
4/30/2014 | 10:56:27 PM
Re: Why does anyone use IE?
@TerryB, you're quite right. Microsoft has done a bang up job of locking people into their software whether by limiting support in other browsers than IE, using ActiveX plugins for functionality, integrating with MS Office, or whatever. If you use all those things, then the experience without doubt is much better than if you were to try the same with Chrome and Openoffice or similar ;-) So you have my sympathies about your WSS3.0 sites.

A previous company I was at designed everything only to work in IE. Why? Because it was standard, they were a MS partner, and it is much easier to make web pages work in a single browser than to work consistently across at least 2 or 3 others as well (which means it's cheaper to develop the sites).
TerryB
100%
0%
TerryB,
User Rank: Ninja
5/1/2014 | 12:28:04 PM
Re: Why does anyone use IE?
@jgherbert  Yeah, I've had to take a similar approach. I'm using Ext JS now for client side browsers. Since my apps are targeted for internal users, I've "standardized" on IE9 and Chrome (version 34 now). I actually do my primary testing in Chrome since I prefer their debugger, then make sure IE9 (or higher) can run the app also. Pain in rear end but still beats what the poor guys who write for internet have to deal with. At least you don't have to insert all that conditional code testing which browser and running code specific to them.

We can only hope HTML5 lives up to it's promise and makes all this go away. I'm sure Microsoft, Google and Mozilla guys will join hands and, while singing Kumba Ya, make all their browsers work the same. And then next day pigs will be flying.  ;-)
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
5/3/2014 | 10:26:26 PM
Re: Why does anyone use IE?
In addition to IE, we do have other choices. Nowadays I use more FF compared to IE. But it's hard to predict and regulate end-user behavior. Many users will still use IE. The lack of support for IE on Windows XP will be really problematic at least for certain period of time.
jgherbert
50%
50%
jgherbert,
User Rank: Ninja
4/30/2014 | 12:59:06 AM
Re: Why does anyone use IE?
"IE has made some big advances in recent versions, but this new vulnerability on the heels of XP's end-of-life will turn a lot of people to Chrome, Firefox or Safari (if they're on a Mac)."

 

Hey, you can get Safari for Windows too. I avoid Firefox these days - it's bloated and slow. Chrome whoops FF's ass every day of the week. Still, with a 50+% market share, a bug in IE is a bad thing even when it's on a supported problem. With the suspected number of active but unsupported Windows XP boxes out there, this may be a painful lesson for many people.
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
4/30/2014 | 9:42:35 AM
Re: Why does anyone use IE?
My biggest issue with IE is that people who use it as their primary browser are so set in their ways that short of uninstalling or disabling it even with this exploit you will not convince them to stop using it even temporarily.   I also didn't expect the XP support issue to jump up and bite everyone so quickly but I'm kind of glad that it did, now maybe some people will take it seriously.
BillW334
50%
50%
BillW334,
User Rank: Apprentice
4/29/2014 | 3:40:50 PM
Re: Why does anyone use IE?
Linux, in one of it's many varieties.
Emused
50%
50%
Emused,
User Rank: Apprentice
4/28/2014 | 2:39:33 PM
Re: Why does anyone use IE?
With all the resources and drachmas M$ has at its disposal, it confounds me how IE ,( regardless of OS running on the system) still has this inherent sh&*that continues to happen.Been in business IT, twenty+ years now, same sh%* different pile.

Shame on you M$

Micro$oftie

 
Emused
50%
50%
Emused,
User Rank: Apprentice
4/28/2014 | 2:50:50 PM
Re: Why does anyone use IE?
Dude I hear ya, but ``ALLOT`` of cutsom business apps are built around using the blah blah .NET etc. etc.IT manager 15 years  Candadian ISP, M$ is locked in for a bit longer, until we bleed cash or data we live with IE


Micro$oftie
PaulS681
50%
50%
PaulS681,
User Rank: Ninja
4/28/2014 | 7:07:14 PM
Surprise Surprise

I bet everyone is surprised about this one. Well, it didn't take long for XP to be exploited, or more precisely, IE on XP. IE on all the supported OS's will be patched but I agree with just about everyone who has responded. Use another browser.

Quantum PC Support
100%
0%
Quantum PC Support,
User Rank: Apprentice
4/29/2014 | 3:22:16 AM
Microsoft will release a patch for IE fault
This blog post explored bad news. I did not have the news about the problem which is occurring in IE. Recently i updated IE to IE11. It is really frustrating. The second bad news is no support or fix for windows xp. I am waiting for a quick remedy from MICROSOFT. 
SachinEE
50%
50%
SachinEE,
User Rank: Ninja
4/29/2014 | 3:19:44 PM
Re : Microsoft: No IE Patch For Windows XP
Even though I do not use Windows XP, I still think that it is rather selfish to suddenly stop providing services to people who still use it. I wonder what that means for users of Windows 7 (myself included) when Microsoft decides that it is time to render this operating system obsolete. And this trend is not only limited to internet explorer, even the regular updates to the operating system that were once so frequent have almost stopped. I think it would be more prudent to let users know the time duration over which an operating system will be 'valid' (meaning profitable to Microsoft) whenever they are selling their operating systems.
jgherbert
50%
50%
jgherbert,
User Rank: Ninja
4/30/2014 | 12:54:28 AM
Re: Re : Microsoft: No IE Patch For Windows XP

"Even though I do not use Windows XP, I still think that it is rather selfish to suddenly stop providing services to people who still use it."

 

XP is almost 13 years old; I think it's entirely fair for Microsoft to call EOL on it, given that there have been 3 major upgrades since then. How long should a company continue to support an old product in order to not be selfish, in your opinion?

We should share that number with, well, every other company who EOLs products, and see if they agree?

asksqn
100%
0%
asksqn,
User Rank: Ninja
4/29/2014 | 4:06:23 PM
Another MS steaming pile of fail
Funny, but the CERT message I read that was issued today stated, "We are currently unaware of a practical solution to this problem," the Department of Homeland Security's United States Computer Emergency Readiness Team said in a post Monday morning.  That means there will be no resolution to this issue.  Users should immediately cease using IE and head directly to one of the others ASAP.  I highly recommend Chrome.  
anon8505928247
50%
50%
anon8505928247,
User Rank: Apprentice
4/30/2014 | 2:48:55 PM
MS only "selling" XP updates now, not "giving" them away
For those of us with Enterprise Agreements or other arrangements with Microsoft, we are paying for updates for Windows XP at least for another year.  Plus, those using Windows XP Embedded (like 95% of ATM machines) will continue to get XP updates from Microsoft for about two years.

Microsoft IS developing and testing updates for Windows XP, how else could they be selling the to the governments of Great Britain, Netherlands, etc.

Yes, Windows XP is 13 years old, but that doesn't mean it won't continue to be used, sometimes by the fault of slow-moving IT departments, other times by vendors, other times by feature retirement by Microsoft.  Many reason that XP will exist for a while and not disappear quickly.  We all wish it would go away, but it cannot.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.