Sign in with
Sign up | Sign in

Critical Internet Explorer Flaw Patched, Even for XP

By - Source: Tom's Guide US | B 0 comment

The critical Internet Explorer flaw that left every desktop version of Microsoft's Web browser vulnerable was patched today (May 1) — even for Windows XP, the outdated operating system that Microsoft officially stopped supporting April 8.

First revealed last Saturday (April 26), the vulnerability, present in IE 6 through 11, was so severe that the U.S. Department of Homeland Security even recommended that people avoid using Internet Explorer until the flaw was patched. Now that Microsoft has pushed out the patch, the update should install automatically if you have Automatic Updates enabled on your PC.

MORE: Scariest Security Threats Headed Your Way: Special Report

The Internet Explorer security flaw can be exploited to give remote attackers control of a user's computer, letting them install more malicious software onto the machine. A mysterious group — possibly foreign spies — were already using the flaw to target U.S. companies when Milpitas, California-based security firm FireEye discovered it.

Previously unknown flaws that are already being exploited are called "zero days," because experts have zero days to prepare defenses and patches before the attacks begin.

Not only did Microsoft issue today's patch outside of its usual "Patch Tuesday" cycle, which sees new updates on the first Tuesday of each month, but the company surprised digital-security experts and IT personnel by fixing the flaw in Windows XP, which it had ostensibly stopped patching after the latest Patch Tuesday on April 8.

That's excellent news for the owners of the roughly 20-30 percent of computers worldwide still running Windows XP, or at least that fraction that regularly installs security updates. However, to avoid attacks using this flaw, Windows users needed only to use any browser other than Internet Explorer.

Still, Windows XP users shouldn't expect future patches.

"We made the decision to issue a security update for Windows XP users. Windows XP is no loner supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system," wrote Microsoft's Dustin C. Childs on the company's TechNet blog.

Although this vulnerability was originally used by a small group of attackers with very specific targets (in a campaign that FireEye dubbed "Operation Clandestine Fox"), now that the vulnerability is public knowledge, cybercriminals could very easily develop their own exploits, putting all users of unpatched Internet Explorer browsers at risk.

The attackers in Operation Clandestine Fox exploited the zero-day flaw by inserting specially crafted Adobe Flash files into Web pages they expected their targets to visit — a so-called watering-hole attack. The Flash files served as launching points for accessing and exploiting the flaw in Internet Explorer.

If you don't have Automatic Updates enabled on your computer, go to Windows Update on your computer (located in the Control Panel under System and Security) and manually install the patch. Then click Change Settings in Windows Update and select "Install updates automatically."

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 0 Hide
    danwat1234 , May 1, 2014 11:18 AM
    Wow I'm kind of surprised Microsoft folded to this. Maybe they'll continue to patch dangerous exploits for some time? At any rate maybe the patches going to the UK government and other entities that are paying for the patches might be leaked for all to use
  • 1 Hide
    bmwman91 , May 1, 2014 11:34 AM
    Kudos to Microsoft for this. I can probably stall on updating my parents' computers to 8.1 for a few more weeks lol.
  • 1 Hide
    WithoutWeakness , May 1, 2014 11:42 AM
    Because the patch is for IE and is likely a fix that works for all versions of IE that were affected I would guess that it was trivial for Microsoft to issue the patch to XP systems. Once they resolved it for newer versions they may have realized the same fix can be applied to the XP systems and pushed it out to them as well. If that's the case then it may not have been a whole lot more work to include XP and it's great for PR given how quickly this major bug was found right after XP support had ended.
  • Display all 18 comments.
  • -3 Hide
    canadianvice , May 1, 2014 11:49 AM
    Why does MS continue to fold? I wanted to see this stay as a threat for XP users!
  • -2 Hide
    Chris Droste , May 1, 2014 12:25 PM
    i think MS caved and pushed this to XP users because not only are there several major entities privately paying MS to support XP, but such a significant user base still uses the OS with no plans to move away it would be irresponsible of them to NOT patch that last 20% of the world's windows users and could generate an irreparable rift of dangerous zombie soldiers for which any hacker for the foreseeable future could, in theory, mobilize to bring down hardened targets on the net.
  • 2 Hide
    bmwman91 , May 1, 2014 12:36 PM
    No doubt, patching this for XP was the "right" thing to do. As much as I am sure that MS wants people to buy licenses for their newer OS'es, they made a smart move by fixing a major hole for a platform that they said they were finished with. As Withoutweakness said, it probably wasn't all that much work anyway since making a patch to IE in one OS is probably not too much different than doing it for another, older relative OS.
  • -1 Hide
    knowom , May 1, 2014 12:36 PM
    Why does MS continue to fold? I wanted to see this stay as a threat for XP users!
    Your right it should have stayed a threat to all Windows users since it was a vulnerability with IE not the OS itself.
  • 0 Hide
    knowom , May 1, 2014 12:48 PM
    0 problems with XP since April 8th so far thank you Mozilla for your commitment to web browser security. IE doesn't discriminate no place is secure it hates all OS's equally.
  • -1 Hide
    falchard , May 1, 2014 1:54 PM
    Security Flaw -> US Gov backdoor.
  • 0 Hide
    JOSHSKORN , May 1, 2014 2:40 PM
    They shoul've extended Windows XP support at least until they get Windows 8.1 Update 2 out the door. After all, the whole hold-up is the lack of Start Button. Adding a half-assed version of the Start Button with Windows 8.1 doesn't cut the mustard with most people, particularly when all it does is attempt to promote the Metro screen.
  • 0 Hide
    Andrea Verocio , May 1, 2014 3:47 PM
    I agree with josh.
    And i want to further reiterate the lack of a proper start menu is disappointing.
  • 1 Hide
    Joseph DeGarmo , May 1, 2014 4:29 PM
    Thanks for the news. I just installed the updates on both my PC and tablet and after using Firefox for the last two days, I got my Internet Explorer back, Bing Bar, OneDrive bookmark syncing, and all.
  • 0 Hide
    mrface , May 1, 2014 5:59 PM
    The reason they patched XP is BECAUSE OF the big contract the Microsoft has with the US Gov. Rollout of windows7/8/8.1 still is not complete.... [/shrug]
  • 0 Hide
    f-14 , May 1, 2014 6:48 PM
    fixing internet explore 1-12 isn't an XP patch it's a fix for IE for EVERY SYSTEM...other wise IE would never have market share considering Chrome and Firefox don't have the problem and would be patched anyways if they did. best way to lose market share on one of your spyware apps is to keep supporting it no matter what. microsoft learned this after the 98 IE 6 debacle when Chrome and Firefox easily filled their shoes in .02 seconds.

    beside you can't kill XP!
    the Matrix Runs on Windows XP!
  • 0 Hide
    wdmfiber , May 1, 2014 7:55 PM
    Hilarious, or actually sad...
    The posts for the first article at Tom's explaining the exploit are 90% conspiracy theorists, "Microsoft did it on purpose to kill XP... sell more Win 8.1 copies".

    And the sky is falling, what a bunch of "wack jobs".
  • 0 Hide
    Christopher1 , May 2, 2014 2:04 AM
    0 problems with XP since April 8th so far thank you Mozilla for your commitment to web browser security. IE doesn't discriminate no place is secure it hates all OS's equally.

    Except that numerous security experts have said that Internet Explorer 9-11 are no more insecure than Firefox in the real world.
    The fact is that Internet Explorer has NO more vuln's to it than Firefox does, the issue is that IE is to integrated into XP and Vista that it can do a lot of bad things if it does get infected.
  • 1 Hide
    wardler , May 2, 2014 6:40 AM
    I have to say that I was considering the thought that MS 'created' this security loop-hole on purpose. I guess it is good to be wrong sometimes.
  • 1 Hide
    Since-86 , May 5, 2014 3:56 PM
    At the price structure they've put on Win8.1 it became too hard to resist for me and I left XP.

    The important thing to remember is that all browsers were exposed to a threat from a flash-relate security loophole. The problem is that older Flash modules (Adobe) left a memory hole that could be exploited. If you search the web you'll find stories about Mozilla Firefox users getting hit with a similar flash-related bug from a Syrian website recently. Chrome also quickly issued a fix for the Flash-related bugs in the last few days. Presumably Mozilla did or will do the same in their upgrades. In a recent test by independent NSS labs they found that Internet Explorer ver11 caught over 99.9% of the viruses trying to enter your system when you click on something in a bad email. Firefox caught 4.2%. Google which is still based on some Firefox licenses caught 70.7 %. Opera was at 28% So the important thing is transparency and response. Who's warning you when they find a problem? Whose got a fix?

Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS