bit-tech.net

New Microsoft IE zero-day won't be patched on XP

New Microsoft IE zero-day won't be patched on XP

The latest zero-day vulnerability in Internet Explorer, currently under active attack, won't be patched for Windows XP users - the first serious flaw to land after the OS went EOL.

Microsoft has warned of a zero-day vulnerability in all versions of its Internet Explorer web browser, and this one marks a milestone for users who don't like to upgrade: it's the first which will not be patched on the now end-of-life Windows XP operating system.

The OS that wouldn't die, Windows XP had its EOL deadline extended more times than any other Microsoft product. Its heavy deployment in enterprise and home scenarios meant that the company was forced to continue to support it long after it had planned an enforced retirement, extended still further following the relatively poor launches of Windows Vista and Windows 8. The company finally offered a deadline this year: the 8th of April, after which no more security or bug-fix patches would be available for the OS or its bundled software.

Although well-heeled corporate types can spend a few million on a bespoke support contract to continue to receive security updates - something in which the UK government has already 'invested,' much to the dismay of those who believe upgrading earlier or side-grading to a rival operating system would have been more cost-effective - home users and smaller businesses are now officially out in the cold. That's good news for attackers, and with the news of the first major zero-day vulnerability in XP that will not be patched those who still use the operating system are advised to be on their guard.

The vulnerability extends across Internet Explorer versions 6 through to 11, and allows for remote code execution - the most serious type of security flaw. Microsoft has confirmed that the vulnerability is under active attack, although claims these are 'limited [and] targeted' in nature. While a patch is in the works for all supported versions of the browser, the copy bundled with Windows XP won't receive an update - leaving users completely unprotected against the attack.

Those who, for whatever reason, cannot upgrade from Windows XP are advised to switch to a third-party browser and to consider installing the Windows XP version of the Enhanced Mitigation Experience Toolkit (EMET), which can protect against the flaw. Those on more modern operating systems can simply wait for a patch to be released, although the use of a third-party browser is advised in the meantime.

37 Comments

Discuss in the forums Reply
Corky42 28th April 2014, 12:13 Quote
Microsoft seems more concerned with getting people to upgrade than security, what with KB2952664 being released out of cycle, and zero-day vulnerabilities going unpatched for another three weeks.
Zider 28th April 2014, 12:49 Quote
Quote:
Originally Posted by Corky42
Microsoft seems more concerned with getting people to upgrade than security, what with KB2952664 being released out of cycle, and zero-day vulnerabilities going unpatched for another three weeks.

Maybe they don't have a working fix for the other issues yet? It's not always a simple one line of code.
SMIFFYDUDE 28th April 2014, 12:56 Quote
To be fair people have had 7 frickin years to avoid this so they only have themselves to blame if they're still on XP and using IE.
TreeDude 28th April 2014, 15:55 Quote
What about server 2003?
Harlequin 28th April 2014, 16:35 Quote
Quote:
Originally Posted by TreeDude
What about server 2003?

EOL is 14/07/2015 - but why still using it?
loftie 28th April 2014, 16:58 Quote
I don't know why, but I assumed that since some parties were paying MS to still patch XP, that any critical updates would still be released to everyone. Obviously not.
Corky42 28th April 2014, 17:10 Quote
We may see a black market open up selling patches for XP that have come via a payed for extended support contract. Not that i would trust any patches coming from a unknown source, you may as well just install malware or keyloggers your self and be done with it.
Cthippo 28th April 2014, 18:44 Quote
I suspect (and honestly hope) this is going to blow up in Microsoft's face.

I forsee lots of news articles about new security problems they're not patching on XP and stories about bad things happening to people who have XP machines. Fair or not, the narrative of "big mean company screws users to try to make more money" is a powerful one, and will probably sell copy.
RichCreedy 28th April 2014, 20:50 Quote
when I come across customers with winxp I advise they upgrade to a newer version, be it win 7 or win 8, and I warn them that if they stay with xp, they are on their own if some security issue pops up.
Nexxo 28th April 2014, 20:57 Quote
Quote:
Originally Posted by Cthippo
I suspect (and honestly hope) this is going to blow up in Microsoft's face.

I forsee lots of news articles about new security problems they're not patching on XP and stories about bad things happening to people who have XP machines. Fair or not, the narrative of "big mean company screws users to try to make more money" is a powerful one, and will probably sell copy.

Yeah, it's a bit like people getting pinned like a butterfly on the steering wheel columns of their 1950's Cadillac Eldorado's in a frontal collision. Then again perhaps they should just either accept the safety limitations of an old car (no matter how classic), or buy a modern, safer one.

Windows XP is obsolete. I'm sorry for your loss; now move on.
Woodspoon 28th April 2014, 23:12 Quote
It's not like people haven't been given enough time and cheap opportunities to change, there really isn't much of a good excuse for still having XP.
mi1ez 28th April 2014, 23:18 Quote
Quote:
Originally Posted by Nexxo
Quote:
Originally Posted by Cthippo
I suspect (and honestly hope) this is going to blow up in Microsoft's face.

I forsee lots of news articles about new security problems they're not patching on XP and stories about bad things happening to people who have XP machines. Fair or not, the narrative of "big mean company screws users to try to make more money" is a powerful one, and will probably sell copy.

Yeah, it's a bit like people getting pinned like a butterfly on the steering wheel columns of their 1950's Cadillac Eldorado's in a frontal collision. Then again perhaps they should just either accept the safety limitations of an old car (no matter how classic), or buy a modern, safer one.

Windows XP is obsolete. I'm sorry for your loss; now move on.

I like your analogy.
Star*Dagger 29th April 2014, 03:53 Quote
If you are using XP you are part of the problem that is holding PCs and humanity back.

Feel bad, then go get a halfway decent OS!!!
TheBitterNoob 29th April 2014, 12:27 Quote
oh well atleast the two computers here that is staying on xp never handled anything important.....
stuartwood89 29th April 2014, 19:38 Quote
Not sure how ceasing support for an OS that has been extended several times is a money making tactic to be totally honest. People need to move with the times, it's as simple as that. Or are we going to start calling MS tight-fisted for no longer supporting Win98 too?
dancingbear84 29th April 2014, 19:53 Quote
Wait. People still use IE? Or XP? Everyone I know, including grandparents are all on vista or higher. The only vista machine is a dvr so meh on that one.
All my stuff is now win 7 or linux.

Sent from my GT-I9505 using Tapatalk
impar 29th April 2014, 20:40 Quote
Greetings!
Quote:
Originally Posted by dancingbear84
Wait. People still use IE?
Come on, the latest one is pretty decent. Better than Chrome, still behind Firefox.
dancingbear84 29th April 2014, 21:38 Quote
I use chrome at work and at home on most machines. Firefox on the Linux stuff, ie is just a horrible monstrosity in my opinion. I've used it but I don't like it. It comes a long way down my list of choices when opening a browser.
IE is used by my grandparents and my dad. I think that is all.

That said, yes I agree it has got better.

Sent from my GT-I9505 using Tapatalk
RichCreedy 29th April 2014, 22:28 Quote
Quote:
Originally Posted by dancingbear84
I use chrome at work and at home on most machines. Firefox on the Linux stuff, ie is just a horrible monstrosity in my opinion. I've used it but I don't like it. It comes a long way down my list of choices when opening a browser.
IE is used by my grandparents and my dad. I think that is all.

That said, yes I agree it has got better.

Sent from my GT-I9505 using Tapatalk

i'm the opposite, I prefer IE, don't like chrome or firefox, its all down to personal taste, all browsers have their own security issues, so no one browser is any more secure than the others, yes they may have different flaws, but they have them all the same. oh and did you notice it is to do with flash player, now there is a surprise.

don't take my word for it Secunia do their own checks, market share, is more than likely because people have more than one browser
Teelzebub 29th April 2014, 23:18 Quote
I mainly use IE there's nothing wrong it IMO I also use chrome probably not as much
Cthippo 30th April 2014, 08:08 Quote
Speaking of MS parches, what the hell is this crap?

So I've got a notification about a new patch that MS wants me to install, rated as "important" OK, so what does it do? All the Windows update says is
Quote:
Update for Windows 7 for x64-based Systems (KB2952664)

Download size: 2.4 MB

You may need to restart your computer for this update to take effect.

Update type: Recommended

Install this update to resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.

More information:
http://support.microsoft.com/kb/2952664

Err' ok, that's unhelpful. So I go look at the Knowledge Base article, which is about three pages long, but the only descriptive element is this one:

Quote:
This update helps Microsoft make improvements to the current operating system in order to ease the upgrade experience to the latest version of Windows.

So what the hell does THAT mean? Does this update change my computer to make it easier to install Win8 at some point? How is the helpful and why should I agree to it?
Nexxo 30th April 2014, 08:32 Quote
Last time my car was serviced by the dealership, they reflashed the Engine Management Unit. I still don't know why or what difference it made. But you know, maintenance and updates. I doubt that most people know what the difference is between iOS 7.1.1 and the latest iOS 7.1.2. iPhone says update, so they do.

You don't have to install this update. You can just assume that Microsoft sends them out especially to annoy users who want to keep running XP. :p
Corky42 30th April 2014, 08:57 Quote
Quote:
Originally Posted by Cthippo
So what the hell does THAT mean? Does this update change my computer to make it easier to install Win8 at some point? How is the helpful and why should I agree to it?

That is exactly what it is, it was released out of cycle to fix problems that prevented people from upgrading to Windows 8.1

EDIT: @Nexxo, if your car was Lamborghini Veneno, or a Bugatti Veyron would you care about them re-flashing the Engine Management Unit then ?
Nexxo 30th April 2014, 09:19 Quote
No; if it is done by the Lamborghini or Bugatti dealership, why should I?
Corky42 30th April 2014, 09:27 Quote
That's a lot of trust you have placed in someone not to screw up you multimillion pound car then, some people are not so trusting. Especially when the Lamborghini or Bugatti dealerships have a history of breaking everyones cars so often.
Nexxo 30th April 2014, 10:34 Quote
Guess I must be naïve to think that a Lamborghini- or Bugatti-trained car mechanic knows more about their cars than I do. :p
Corky42 30th April 2014, 10:53 Quote
Well you was the one that drew a comparison between Microsoft and your cars dealership. B)
Nexxo 30th April 2014, 13:40 Quote
Yup, and the principle stands: Microsoft's coders know more about Windows OS than I do so if they release an update, I trust there to be a good reason for it and install it.
Corky42 30th April 2014, 14:04 Quote
They may know more than you do, but that doesn't mean they get it right.

Using your car analogy, if your car dealership/manufacture had a reputation for botched ECU updates that left customers cars undriveable or halved the MPG would you pay more attention to what maintenance and updates the dealership does ? Or would you be happy to play the update lottery.
Nexxo 30th April 2014, 16:43 Quote
Why, I'd take it to another dealership or buy a different car. But seeing as Windows is still the dominant OS for PCs in enterprise and home use, i guess Microsoft must be getting it mostly right.

Them knowing more than me means that they are more likely to get it right than me. At some point you have to trust the product and its manufacturer, or just get another product... If you think you can trust that manufacturer more, that is.
Corky42 30th April 2014, 17:32 Quote
Ford got it mostly right with the Model-T when it was the dominant car in the market :D
Nexxo 30th April 2014, 19:08 Quote
Compared to other cars on the market in 1908, indeed it did.
Gareth Halfacree 1st May 2014, 19:21 Quote
Remember how Windows XP wasn't going to be patched because it was finally, officially EOL? Yeah, Microsoft just changed its mind . It really is the OS that just won't die!
dancingbear84 1st May 2014, 20:57 Quote
That sets the prescendent then...

Sent from my GT-I9505 using Tapatalk
Cthippo 1st May 2014, 23:31 Quote
XP still has something like 28% market share.

Most companies would kill for a 28% market share,but MS feels comfortable with potentially alienating that many paying customers.
Nexxo 1st May 2014, 23:34 Quote
Because it can afford to.
Unicorn 1st May 2014, 23:41 Quote
Quote:
Originally Posted by impar
Greetings!

Come on, the latest one is pretty decent. Better than Chrome, still behind Firefox.

I'm going to have to disagree with you there - as far as I'm concerned, it goes FF > Chrome > IE11 > All others. IE11 still uses a separate process for each tab and uses more memory per tab than FF or chrome when running.

My last remaining XP box got the patch earlier this week. Why am I still running a machine with XP on it? Partially sentimentality, partially laziness. I shut them all down on the 7th and upgraded all but this one to W7. I had a W7 license for it as well, but it's a folding box, never used for anything else, and now on its own VLAN where it can't get at the rest of my network. It can run XP until the end of time and shouldn't cause any problems.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums