The Schwartz Report

Blog archive

Microsoft Didn't Blink when Offering XP Support in IE Patch

Did Microsoft blink? That's the first reaction one might have inferred upon learning of the company's decision to include Windows XP in repairing one of the most prominent zero-day vulnerabilities in Internet Explorer in recent memory.

Microsoft could have stuck to its guns by saying it's no longer patching Windows XP and customers are on their own to either upgrade to a newer operating system or seek costlier assistance. The company had long stated that it would stop issuing patches and updates to Windows XP on April 8 of last month. But the fact that this vulnerability -- revealed earlier this week by security firm FirstEye --- is so significant and that some attackers have already exploited it against companies in the financial services industry necessitated a swift decision by Microsoft.

This vulnerability affected all versions of Internet Explorer running on all releases of Windows including those running on embedded systems, except for users who configured their browsers in protection mode. The flaw enabled attackers to take advantage of a memory corruption vulnerability in the browser. It aimed to deliver a "newer version of the years-old Pirpi RAT to compromised, victim systems by taking control of their browsers, and in turn, their systems and networks," said Kurt Baumgartner, a researcher at Kaspersky Lab, in a blog post.

While Adrienne Hall, general manager of Microsoft's Trustworthy Computing group, said in a blog post that the flaw resulted in a limited number of attacks and fears were overblown, Baumgartner suggested the threat of wider attacks was real. "Once the update and code is analyzed, it can easily be delivered into waiting mass exploitation cybercrime networks," Baumgartner warned. "Run Windows Update if you are using a Windows system, and cheers to Microsoft response for delivering this patch to their massive user base quickly."

Indeed Microsoft acted quicky and decisively but Hall warned Windows XP users shouldn't be lulled into complacency by yesterday's release of a patch for Internet Explorer running on Windows XP. "Just because this update is out now doesn't mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer," she warned. "Our modern operating systems provide more safety and security than ever before."


Posted by Jeffrey Schwartz on 05/02/2014 at 12:17 PM


comments powered by Disqus

Subscribe on YouTube