Microsoft: No IE Patch For Windows XP - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Operating Systems
News
4/28/2014
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Microsoft: No IE Patch For Windows XP

Hackers are already exploiting a new Internet Explorer flaw. Microsoft promises a fix -- but not for Windows XP.

Windows XP Game Over: 9 Upgrade Options
Windows XP Game Over: 9 Upgrade Options
(Click image for larger view and slideshow.)

Microsoft confirmed over the weekend that Internet Explorer (IE) versions 6 through 11 are susceptible to a newly discovered vulnerability, and that cyberattackers have already exploited the flaw. The company said it is investigating the bug, and it pledged to release a fix.

Microsoft will release the patch through either its monthly security update or a special out-of-cycle release. Whichever route Microsoft chooses, however, Windows XP users won't benefit. As of this month, the company no longer supports the OS. In March, XP still accounted for more than a quarter of Internet users, according to the web-tracking firm Net Applications.

In a blog post, Microsoft acknowledged that cybercriminals have already exploited the bug, but it said it is aware of only limited targeted attacks. The flaw allows remote code execution if a user visits a malicious website, which means an attacker could theoretically gain the same system privileges as the legitimate user.

[Wondering about your best option to replace WinXP? Read Windows XP Game Over: 9 Upgrade Options.]

"[Simply] looking at booby-trapped content such as a Web page or image file can trick IE into launching executable code sent from outside your network," Paul Ducklin, a researcher with the security vendor Sophos, wrote in a blog post.

In a second post related to the IE flaw, Microsoft detailed two methods to mitigate risk: enabling IE's Enhanced Protected Mode and using the company's Enhanced Mitigation Experience Toolkit (EMET) 4.1 and 5.0 Technical Preview products. Users can also, of course, use a different browser. Microsoft said accounts that are configured to allow fewer user rights could be less vulnerable than those that operate with full administrative rights.

The cybersecurity firm FireEye, which claimed credit for discovering the flaw, endorsed Microsoft's recommended precautions. In a blog post, the company said its testing found EMET versions 4.1 and 5.1 and Enhanced Protected Mode all successfully break or detect the exploit.

Homeland Security says to avoid IE until Microsoft issues a fix -- but even then, Windows XP users will be left in the cold.
(Source: cooling999, deviantart.com)
Homeland Security says to avoid IE until Microsoft issues a fix -- but even then, Windows XP users will be left in the cold.
(Source: cooling999, deviantart.com)

FireEye also noted that the vulnerability relies on Adobe Flash. "Disabling the Flash plugin within IE will prevent the exploit from functioning."

The United States Computer Emergency Readiness Team, a division of the Department of Homeland Security, recommends that users and administrators enable Microsoft EMET where possible and consider employing an alternative web browser until an official update is available.

FireEye said it is monitoring a group currently exploiting the flaw. The firm noted that the group has capitalized on zero-days in the past. The attackers are "extremely proficient at lateral movement and are difficult to track, as they do typically do not reuse command and control infrastructure."

The company nicknamed the group's campaign "Operation Clandestine Fire." However, citing the ongoing nature of its investigation, it declined to provide additional details, such as which companies or institutions have been targeted.

Though not as potentially widespread as the Heartbleed vulnerability disclosed this month, the new IE exploit could represent a significant threat. According to Net Applications, the browser family accounts for around a quarter of all Internet users

All versions of IE are affected, including those running on Windows 7, 8, and 8.1. But Windows XP users face the most serious threats. Brian Krebs, the security researcher who first reported last year's Target data breach, said in a blog post, "This is the first of many zero-day attacks and vulnerabilities that will never be fixed for Windows XP users." He noted that many of the exploit mitigation techniques that EMET brings do not work in XP.

Microsoft no longer supports XP, but many third-party security vendors do, which could give some IE-using XP holdouts another option. Ducklin suggested other workarounds, including disabling an IE extension called VGX.DLL, which is believed to be linked to the exploit.

Emerging standards for hybrid clouds and converged datacenters promise to break vendors' proprietary hold. Also in the Lose The Lock-In issue of InformationWeek: The future datacenter will come in a neat package (free registration required).

Michael Endler joined InformationWeek as an associate editor in 2012. He previously worked in talent representation in the entertainment industry, as a freelance copywriter and photojournalist, and as a teacher. Michael earned a BA in English from Stanford University in 2005 ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
4/30/2014 | 3:42:32 PM
Re: Why does anyone use IE?
Exactly -- if you're using XP/IE on your home system (and it has the hardware specs to support a newer OS) then I don't have much sympathy. But plenty of companies are locked into this software because of legacy stuff or critical functions that just don't work elsewhere. It's never as simple as moving 500 end users to Linux. Ever.
Shane M. O'Neill
50%
50%
Shane M. O'Neill,
User Rank: Author
4/29/2014 | 9:49:25 AM
Re: Why does anyone use IE?
It doesn't take much to get someone to switch browsers: slowness, a security scare, even just one annoying feature. IE has made some big advances in recent versions, but this new vulnerability on the heels of XP's end-of-life will turn a lot of people to Chrome, Firefox or Safari (if they're on a Mac). And once they leave IE, they don't tend to come back.
Michael Endler
50%
50%
Michael Endler,
User Rank: Author
4/28/2014 | 4:13:25 PM
Re: Why does anyone use IE?
Exactly. A certain crowd has been saying for months that Windows XP's termination would be no big deal, and that people could basically continue using it. As I've written a few times before, I can understand why some customers feel annoyed that they're being pushed off a usable product. But I've also found the "keep using XP" advice to be at best quixotic, and at worst, irresponsible.

If you're an IT pro who knows how to lock down an XP machine, that's one thing. When people using XP on closed networks say they're not concerned, I believe them. But there are millions of people out there, right now, running both XP and Internet Explorer, without any real awareness of why that combination is a particularly bad thing. It's inevitable that some people who insist on using Windows XP are gonna get burned-- perhaps only a minority of users, but for that minority, the potential damage is pretty bad.

Recently, I spoke with some family friends. They're not tech savvy and had a computer with Windows XP. A friend of theirs who works as a freelance IT consultant told them not worry about it, which I found absolutely insane. These people are fairly affluent and have been targets of identity theft attempts in the past—not broad spectrum, impersonal attacks; the targeted, individual, "attackers know who you are" kind. They're also not very interested in changing their computing behavior. Their situation isn't everyone's-- but I think it's one where a new computer was clearly the best option. Incidentally, they bought a Windows 7 PC.

 
Laurianne
0%
100%
Laurianne,
User Rank: Author
4/28/2014 | 1:55:56 PM
Re: Why does anyone use IE?
XP users who hang on because they are resistant to change will also resist changing browsers. Unofficial tech support consultants, your phones will ring this week.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Commentary
New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
Slideshows
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Commentary
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll