Skip to main content

Critical Internet Explorer Flaw Patched, Even for XP

The critical Internet Explorer flaw that left every desktop version of Microsoft's Web browser vulnerable was patched today (May 1) — even for Windows XP, the outdated operating system that Microsoft officially stopped supporting April 8.

First revealed last Saturday (April 26), the vulnerability, present in IE 6 through 11, was so severe that the U.S. Department of Homeland Security even recommended that people avoid using Internet Explorer until the flaw was patched. Now that Microsoft has pushed out the patch, the update should install automatically if you have Automatic Updates enabled on your PC.

MORE: Scariest Security Threats Headed Your Way: Special Report

The Internet Explorer security flaw can be exploited to give remote attackers control of a user's computer, letting them install more malicious software onto the machine. A mysterious group — possibly foreign spies — were already using the flaw to target U.S. companies when Milpitas, California-based security firm FireEye discovered it.

Previously unknown flaws that are already being exploited are called "zero days," because experts have zero days to prepare defenses and patches before the attacks begin.

Not only did Microsoft issue today's patch outside of its usual "Patch Tuesday" cycle, which sees new updates on the first Tuesday of each month, but the company surprised digital-security experts and IT personnel by fixing the flaw in Windows XP, which it had ostensibly stopped patching after the latest Patch Tuesday on April 8.

That's excellent news for the owners of the roughly 20-30 percent of computers worldwide still running Windows XP, or at least that fraction that regularly installs security updates. However, to avoid attacks using this flaw, Windows users needed only to use any browser other than Internet Explorer.

Still, Windows XP users shouldn't expect future patches.

"We made the decision to issue a security update for Windows XP users. Windows XP is no loner supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system," wrote Microsoft's Dustin C. Childs on the company's TechNet blog.

Although this vulnerability was originally used by a small group of attackers with very specific targets (in a campaign that FireEye dubbed "Operation Clandestine Fox"), now that the vulnerability is public knowledge, cybercriminals could very easily develop their own exploits, putting all users of unpatched Internet Explorer browsers at risk.

The attackers in Operation Clandestine Fox exploited the zero-day flaw by inserting specially crafted Adobe Flash files into Web pages they expected their targets to visit — a so-called watering-hole attack. The Flash files served as launching points for accessing and exploiting the flaw in Internet Explorer.

If you don't have Automatic Updates enabled on your computer, go to Windows Update on your computer (located in the Control Panel under System and Security) and manually install the patch. Then click Change Settings in Windows Update and select "Install updates automatically."

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

  • danwat1234
    Wow I'm kind of surprised Microsoft folded to this. Maybe they'll continue to patch dangerous exploits for some time? At any rate maybe the patches going to the UK government and other entities that are paying for the patches might be leaked for all to use
    Reply
  • bmwman91
    Kudos to Microsoft for this. I can probably stall on updating my parents' computers to 8.1 for a few more weeks lol.
    Reply
  • WithoutWeakness
    Because the patch is for IE and is likely a fix that works for all versions of IE that were affected I would guess that it was trivial for Microsoft to issue the patch to XP systems. Once they resolved it for newer versions they may have realized the same fix can be applied to the XP systems and pushed it out to them as well. If that's the case then it may not have been a whole lot more work to include XP and it's great for PR given how quickly this major bug was found right after XP support had ended.
    Reply
  • canadianvice
    Why does MS continue to fold? I wanted to see this stay as a threat for XP users!
    Reply
  • Chris Droste
    i think MS caved and pushed this to XP users because not only are there several major entities privately paying MS to support XP, but such a significant user base still uses the OS with no plans to move away it would be irresponsible of them to NOT patch that last 20% of the world's windows users and could generate an irreparable rift of dangerous zombie soldiers for which any hacker for the foreseeable future could, in theory, mobilize to bring down hardened targets on the net.
    Reply
  • bmwman91
    No doubt, patching this for XP was the "right" thing to do. As much as I am sure that MS wants people to buy licenses for their newer OS'es, they made a smart move by fixing a major hole for a platform that they said they were finished with. As Withoutweakness said, it probably wasn't all that much work anyway since making a patch to IE in one OS is probably not too much different than doing it for another, older relative OS.
    Reply
  • knowom
    Why does MS continue to fold? I wanted to see this stay as a threat for XP users!
    Your right it should have stayed a threat to all Windows users since it was a vulnerability with IE not the OS itself.
    Reply
  • knowom
    0 problems with XP since April 8th so far thank you Mozilla for your commitment to web browser security. IE doesn't discriminate no place is secure it hates all OS's equally.
    Reply
  • falchard
    Security Flaw -> US Gov backdoor.
    Reply
  • JOSHSKORN
    They shoul've extended Windows XP support at least until they get Windows 8.1 Update 2 out the door. After all, the whole hold-up is the lack of Start Button. Adding a half-assed version of the Start Button with Windows 8.1 doesn't cut the mustard with most people, particularly when all it does is attempt to promote the Metro screen.
    Reply