Many Windows XP users are no doubt relieved that Microsoft decided to include Windows XP in a security update for a recently-disclosed bug -- but they shouldn't assume support will continue. Microsoft said XP remains an unsupported product, and that it made an exception to include it in this update only because the issue arose so near the operating system's end-of-life deadline.
Microsoft began deploying the update around 1 p.m. EST on Thursday. Users who have enabled automatic updates shouldn't need to take any action. Otherwise, users can access the update via the Control Panel's Windows Update section. Microsoft rarely releases out-of-cycle updates like this one. Most arrive during the company's monthly Patch Tuesday releases.
[Is XP really at risk? Read Windows XP Security Issues: Fact vs. Fiction.]
After disclosing the bug last weekend, Microsoft suggested a number of workarounds, many of which were inapplicable to XP machines. In a blog post, Microsoft Trustworthy Computing GM Adrienne Hall encouraged XP users to upgrade.
She wrote that today's cyberthreats are too sophisticated for an operating system first released over a decade ago. Microsoft officials have repeated this message countless times in recent months, but many users remain unpersuaded; over a quarter of PC users still relied on XP in April, according to web-tracking firm Net Applications.
Attacks against XP are already ongoing, according to FireEye, the security firm that took credit for discovering the vulnerability and gave it its nickname, "Operation Clandestine Fox."
In a Thursday blog post, the firm said it has detected a "version of the attack that specifically targets out-of-life Windows XP machines running IE 8." FireEye said earlier attacks involved only IE 9, 10, and 11 on Windows 7 and 8. The bug affects all versions of IE from 6 to 11. The firm warned that the new method that involves XP "means the risk factors of this vulnerability are now even higher."
FireEye said it initially observed attacks against the defense and financial sectors but has since detected campaigns against government and energy institutions as well.
Microsoft will host a webcast Friday at 2:00 p.m. EST to discuss the security update in greater detail.
Could the growing movement toward open-source hardware rewrite the rules for computer and networking hardware the way Linux, Apache, and Android have for software? Also in the Open Source Hardware issue of InformationWeek: Mark Hurd explains his "once-in-a-career opportunity" at Oracle.