Microsoft rushes to fix Windows XP due to Internet Explorer bugs

Security

by CBR Staff Writer| 02 May 2014

Patch follows end of support for XP in early April.

Microsoft has released updates for Windows XP operating system to fix the bugs in its Internet Explorer browser, amid fears that the company would not provide any fixes for the 13 year old OS after support ended on April 8.

Microsoft Trustworthy Computing's Dustin Childs said, "We have made the decision to issue a security update for Windows XP users.

"Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11."

XP users who have switched on automatic updates do not need to respond, but others should turn the feature on and click 'check for updates' in the Windows Update section of control panel.

Microsoft Trustworthy Computing general manager Adrienne Hall said even though Windows XP is no longer supported and it is beyond the time Microsoft would normally provide security updates, the firm has decided to patch all versions of the OS, including embedded.

"We made this exception based on the proximity to the end of support for Windows XP," Hall added.

Last week, security firm FireEye Research Labs identified a zero-day exploit in the Internet Explorer version which it claimed was used in targeted attacks.

According to the security firm, the vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11.

The vulnerability claimed to bypass both ASLR and DEP and the researchers believe that hackers are exploiting the vulnerability in an ongoing campaign under "Operation Clandestine Fox".

Following the news, the US government issued a warning advising Microsoft users to avoid using the browser until security vulnerabilities are fixed.

The Computer Emergency Readiness Team (CERT) of US Department of Homeland Security said IE contains a use-after-free vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

It has recommended that users and administrators review Microsoft Security Advisory (2963983) to fix the bugs, while users who cannot fix the bugs should switch to other browsers.

Microsoft however said the concerns regarding the vulnerability are overblown.

Hall said: "The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don't take these reports seriously."

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

734 people like this.
0 people follow this.

Security Intelligence

Buy the latest industry research online today!
See more

Suppliers Directory

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.