New Microsoft IE zero-day won't be patched on XP

April 28, 2014 // 10:45 a.m.

Tags: #emet #eol #flaw #insecurity #internet-explorer #microsoft #security #vulnerability #windows-xp #zero-day

Microsoft has warned of a zero-day vulnerability in all versions of its Internet Explorer web browser, and this one marks a milestone for users who don't like to upgrade: it's the first which will not be patched on the now end-of-life Windows XP operating system.

The OS that wouldn't die, Windows XP had its EOL deadline extended more times than any other Microsoft product. Its heavy deployment in enterprise and home scenarios meant that the company was forced to continue to support it long after it had planned an enforced retirement, extended still further following the relatively poor launches of Windows Vista and Windows 8. The company finally offered a deadline this year: the 8th of April, after which no more security or bug-fix patches would be available for the OS or its bundled software.

Although well-heeled corporate types can spend a few million on a bespoke support contract to continue to receive security updates - something in which the UK government has already 'invested,' much to the dismay of those who believe upgrading earlier or side-grading to a rival operating system would have been more cost-effective - home users and smaller businesses are now officially out in the cold. That's good news for attackers, and with the news of the first major zero-day vulnerability in XP that will not be patched those who still use the operating system are advised to be on their guard.

The vulnerability extends across Internet Explorer versions 6 through to 11, and allows for remote code execution - the most serious type of security flaw. Microsoft has confirmed that the vulnerability is under active attack, although claims these are 'limited [and] targeted' in nature. While a patch is in the works for all supported versions of the browser, the copy bundled with Windows XP won't receive an update - leaving users completely unprotected against the attack.

Those who, for whatever reason, cannot upgrade from Windows XP are advised to switch to a third-party browser and to consider installing the Windows XP version of the Enhanced Mitigation Experience Toolkit (EMET), which can protect against the flaw. Those on more modern operating systems can simply wait for a patch to be released, although the use of a third-party browser is advised in the meantime.

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU