Microsoft rushed out an emergency security fix for Internet Explorer, to fix a flaw which hackers had already exploited – although the tech giant said the actual number of attacks using the bug, which affected IE versions 6 to 11 was “very small”. The big surprise for many, though, was that the patch also updated Windows XP – which officially “retired” on April 8.
Describing this as an “unexpected move”, Network World said that Microsoft had “long held” that the dozen-year-old operating system would receive no more security updates after April 8.
The flaw received large amounts of media coverage as it was the first major bug to affect Windows XP – although ESET’s Stephen Cobb pointed out that the flaw – which could allow an attacker to assume complete control over a machine – affected Internet Explorer Versions 6 to 11 on all versions of Windows.
ESET’s Aryeh Goretsky said, “While it is somewhat unprecedented that Microsoft would release a patch for a product they no longer support, it is not surprising in this circumstance, given the severity of the CVE-2014-1776 vulnerability, the fact that it was being exploited in the wild and that it was detected just as Windows XP entered retirement helps to explain Microsoft’s reasoning.”
“Out of band patches from Microsoft are rare and only issued in the most severe circumstances. Given, that, I strongly recommend sysadmins test and apply the patch as soon as possible on the computers they manage.”
In a blog post, Microsoft wrote that the extensive negative coverage had been “tough” and said, “This means that when we saw the first reports about this vulnerability we said fix it, fix it fast, and fix it for all our customers. So we did. The update that does this goes live today at 10 a.m. PDT.”
“If you are like most people, you have automatic updates turned on, and you’ll get this new update without having to do anything. If you haven’t turned on automatic updates yet, you should do so now. Click the “Check for Updates” button on the Windows Update portion of your Control Panel to get this going.”
Microsoft pointed out that there had been a “very small” number of attacks based on the bug, and that concerns about it were “overblown.”
Regarding the unexpected Internet Explore fix for XP machines, the tech giant hinted that this was a one-off, saying, “ We made this exception based on the proximity to the end of support for Windows XP. “
Trusted Reviews pointed out that in terms of sheer numbers, patching XP machines still made sense. The site wrote, “Perhaps most staggering of all is that XP still makes up 26 per cent of installed operating systems. Windows 8.1, in contrast, has just 5 per cent market share. That, is perhaps one of the other reasons that Microsoft has decided to apply the Internet Explorer fix to the older operating system.
The flaw was considered serious enough that the U.S. Department of Homeland Security issued warnings regarding it. Regarding the patch, the U.S. Computer Emergency Response Team (US-CERT) wrote, “Microsoft has released out-of-band updates to address a critical use-after-free vulnerability in Internet Explorer versions 6 through 11, including IE versions running on Windows XP. US-CERT recommends that users and administrators review Microsoft Security Bulletin MS14-021 and apply the necessary updates as soon as possible.”
Author Rob Waugh, We Live Security