Skip to main content

Critical Internet Explorer Flaw Patched, Even for XP

The critical Internet Explorer flaw that left every desktop version of Microsoft's Web browser vulnerable was patched today (May 1) — even for Windows XP, the outdated operating system that Microsoft officially stopped supporting April 8.

First revealed last Saturday (April 26), the vulnerability, present in IE 6 through 11, was so severe that the U.S. Department of Homeland Security even recommended that people avoid using Internet Explorer until the flaw was patched. Now that Microsoft has pushed out the patch, the update should install automatically if you have Automatic Updates enabled on your PC.

MORE: Scariest Security Threats Headed Your Way: Special Report

The Internet Explorer security flaw can be exploited to give remote attackers control of a user's computer, letting them install more malicious software onto the machine. A mysterious group — possibly foreign spies — were already using the flaw to target U.S. companies when Milpitas, California-based security firm FireEye discovered it.

Previously unknown flaws that are already being exploited are called "zero days," because experts have zero days to prepare defenses and patches before the attacks begin.

Not only did Microsoft issue today's patch outside of its usual "Patch Tuesday" cycle, which sees new updates on the first Tuesday of each month, but the company surprised digital-security experts and IT personnel by fixing the flaw in Windows XP, which it had ostensibly stopped patching after the latest Patch Tuesday on April 8.

That's excellent news for the owners of the roughly 20-30 percent of computers worldwide still running Windows XP, or at least that fraction that regularly installs security updates. However, to avoid attacks using this flaw, Windows users needed only to use any browser other than Internet Explorer.

Still, Windows XP users shouldn't expect future patches.

"We made the decision to issue a security update for Windows XP users. Windows XP is no loner supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system," wrote Microsoft's Dustin C. Childs on the company's TechNet blog.

Although this vulnerability was originally used by a small group of attackers with very specific targets (in a campaign that FireEye dubbed "Operation Clandestine Fox"), now that the vulnerability is public knowledge, cybercriminals could very easily develop their own exploits, putting all users of unpatched Internet Explorer browsers at risk.

The attackers in Operation Clandestine Fox exploited the zero-day flaw by inserting specially crafted Adobe Flash files into Web pages they expected their targets to visit — a so-called watering-hole attack. The Flash files served as launching points for accessing and exploiting the flaw in Internet Explorer.

If you don't have Automatic Updates enabled on your computer, go to Windows Update on your computer (located in the Control Panel under System and Security) and manually install the patch. Then click Change Settings in Windows Update and select "Install updates automatically."

Email or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.