Microsoft has released an out-of-band emergency patch for a critical security hole in its Internet Explorer web browser, and in doing so set an awkward precedent by releasing it for the officially end-of-life Windows XP operating system.
The zero-day exploit in Internet Explorer was one of the most serious bugs to hit Microsoft's software in recent times. Announced late last month
, the flaw allowed attackers to run arbitrary code whenever the browser hit a malicious site. Microsoft admitted that the vulnerability was the focus of targeted attacks, and pledged to investigate and patch the hole as quickly as possible for most users.
That latter proviso comes due to the status of Windows XP, which after an unusually lengthy support period - extended several times past its original schedule thanks to poor corporate adoption of its successors - entered End Of Life (EOL) status on the 8th of April. The Internet Explorer flaw, then, represented the first serious security vulnerability that would not be patched in Windows XP - at least, unless you're one of the company's well-heeled enterprise customers paying a considerable fee for an extended support contract.
With just shy of 30 per cent of web users still running XP, that left a considerable chunk of targets vulnerable to attack. Interestingly, Microsoft has chosen to protect said users with an out-of-band patch for the operating system - despite warning time and again that there would be no more updates for non-paying customers after the 8th of April.
'We have made the decision to issue a security update for Windows XP users,
' admitted Microsoft's Dustin Childs in a brief announcement on the matter. 'Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.
While Microsoft continues to attempt to push XP users into upgrading, the release of the patch following the platform's official EOL date sends an extremely mixed message - although it's hard to see something which protects a big chunk of the internet's users from attack as a negative. It does mean, however, that all eyes will be on Microsoft the next time a critical flaw covering Windows XP is found, to see if it decides to make yet another one-off exception for the OS that just won't die.