Critical zero-day endangers all versions of Internet Explorer -- and XP isn't getting a fix

It didn't take long for all the barking about the death of Windows XP to gain some teeth.

Hackers have uncovered the first bug that could put Windows XP users at serious risk, after Microsoft ceased support for the aging operating system less than three weeks ago.

On Saturday, Microsoft announced that Internet Explorer versions 6 through 11 were at risk for so-called drive-by attacks from malicious websites. Windows XP is capable of running Internet Explorer 6, 7, and 8.

This new remote code execution vulnerability, dubbed CVE-2014-1776, has the potential to give hackers the same user rights as the current user. That means a successful attacker who infects a PC running as administrator would have a wide variety of attack open to them such as installing more malware on the system, creating new user accounts, and changing or deleting data stored on the target PC. Most Windows users run their PCs under an administrator account.

These attacks aren't theoretical, either--security firm FireEye discovered these attacks being actively used in the wild. For these attacks to work, however, a user would have to visit a malicious website attempting to install the code. Microsoft says attacks could also come from "websites that accept or host user-provided content or advertisements" where an attacker could insert malicious code.

Microsoft has yet to decide whether it will issue an emergency patch in the coming days or wait for patch Tuesday on May 13 to repair supported versions of IE.

XP in the cold

Whenever Microsoft issues the patch, a significant portion of Windows PC users won't be receiving the security update. Microsoft officially ended support for Microsoft XP on April 8, and the aging OS will no longer receive security updates as a result. So unless Microsoft does an about face, this appears to be the first post-support vulnerability where XP users are left to fend for themselves. Many more are sure to follow.

At last count, Windows XP accounted for nearly 28 percent of all online PCs worldwide. That's more than Windows 8, 8.1, Vista, OS X 10.9, and Linux users combined, according to the latest numbers from Net MarketShare.

Luckily, Windows XP users can easily mitigate this vulnerability by simply using any Web browser but Internet Explorer. For longtime IE users on XP, turning to Google Chrome or Mozilla Firefox would be your best bet, both immediately and going forward.

Google has promised to support the XP version of Google Chrome until April 2015, while Mozilla has yet to announce a Firefox end-of-support date for XP. Should a vulnerability hit either of those browsers on XP it will be patched, unlike IE.

For those who absolutely must use IE, Microsoft advises downloading and installing the Enhanced Mitigation Experience Toolkit (EMET) 4.1. This utility helps to protect against malware and is available for Windows XP PCs with service pack 3 installed.

You can also run IE in a more secure mode by going to Internet Option s> Security and setting the slider to High.

Microsoft's Saturday alert may be the first example of a serious exploit already in the wild that will put Windows XP users permanently at risk. It won't, however, be the last, security experts say. In March, security firm Avast said that Windows XP was already under attack six times more often than Windows 7--and that was before the OS went end-of-life.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowsFireEyesoftwareoperating systemsInternet Explorer

More about AvastFireEyeGoogleLinuxMicrosoftMozillaToolkit

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place