Microsoft has released an out-of-band patch to address a serious IE zero-day vulnerability. Surprisingly, the fix will also correct the problem on the now-unsupported Windows XP platform.
This means that when we saw the first reports about this vulnerability we said, 'Fix it. Fix it fast, and fix it for all our customers.' So we did.
Adrienne Hall, general manager, Microsoft Trustworthy Computing
Last week in Security Advisory 2962983, Microsoft said the Internet Explorer (IE) zero day, CVE-2014-1776, was being used in limited, targeted attacks. Researchers at security vendor FireEye Inc., who first notified Microsoft of the "use-after-free" memory vulnerability, noted in a blog post last week that initial attacks spotted in the wild had only targeted Internet Explorer users on versions 9, 10 and 11, but the Milpitas, Calif.-based vendor said today that it had discovered a new exploit targeting out-of-life Windows XP systems running IE 8.
"We have also observed that multiple new threat actors are now using the exploit in attacks and have expanded the industries they are targeting," said FireEye threat researchers Dan Caselden and Xiaobo Chen. "In addition to previously observed attacks against the defense and financial sectors, organizations in the government and energy sectors are now also facing attack."
The prevalence and severity of the vulnerability -- it can be exploited remotely and provides attackers with the same administrator rights as the current user -- forced Microsoft to take action outside of its normal monthly Patch Tuesday cycle, even bypassing its usual measure of supplying a temporary "Fix it" workaround.
"The security of our products is something we take incredibly seriously, so the news coverage of the last few days about a vulnerability in Internet Explorer has been tough for our customers and for us," said Adrienne Hall, general manager for Microsoft Trustworthy Computing, in a blog post. "This means that when we saw the first reports about this vulnerability we said, 'Fix it. Fix it fast, and fix it for all our customers.' So we did."
Underscoring the severity of the flaw, the United States Computer Emergency Readiness Team took the extraordinary step Monday of advising IE users to switch to alternative browsers until Microsoft delivered a patch for the issue.
Microsoft had noted that the IE flaw could be mitigated through a number of actions, including unregistering the culpable VGX dynamic link library -- responsible for the Vector Markup Language code on websites -- or running versions 4.1 or 5.0 of the company's Enhanced Mitigation Experience Toolkit. Today's permanent fix from the Redmond, Wash.-based software giant covers all IE users, even those running unsupported versions of the browser and Windows.
"For those manually updating, we strongly encourage you to apply this update as quickly as possible following the directions in the released security bulletin," said Dustin Childs, group manager for Microsoft Trustworthy Computing, in a blog post.
After warning XP users for years to transition to a more modern platform or risk losing security support, Microsoft's decision to extend the out-of-band patch to XP will come as a surprise to many in the security industry.
"Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1," Childs said. "Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11."
Hall said the company chose to include an XP fix based on the "proximity to the end of support" date for XP -- the company just ended support for the aged operating system April 8 -- but failed to clarify whether Microsoft will be including more security patches for XP in the near future.
"Just because this update is out now doesn't mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer," Hall said.