Emergency patch for critical IE 0-day throws lifeline to XP laggards, too

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/security/2014/05/emergency-patch-for-critical-ie-0day-throws-lifeline-to-xp-laggards-too/

By Dan Goodin
Ars Technica
May 1, 2014

Microsoft has released an emergency update for all recent Windows 
operating systems—including the recently decommissioned XP—fixing a 
critical security bug that is currently being exploited in real-world 
attacks.

The decision to patch XP underscores the potential seriousness of the 
vulnerability. Since it resides in versions 6 through 11 of Internet 
Explorer, the remote code-execution hole leaves an estimated 26 percent of 
Internet browsers susceptible to attacks that can surreptitiously install 
hacker-controlled backdoors when users visit a booby-trapped website. By 
some measures, 28 percent of the Web-using public continues to use the 
aging OS, which lacks crucial safety protections built into Windows 7 and 
8.1.

Thursday's release demonstrates the razor-thin tightrope Microsoft walks 
as it tries to wean users off a platform it acknowledges is no longer safe 
against modern hacks. While the XP fix may deprive some laggards of the 
incentive to upgrade, Microsoft also has a responsibility to prevent 
exploits that could turn large numbers of the Internet population into 
compromised platforms that attack others.


Attacks grow by “multiple, new threat actors”

The Microsoft patch comes as the in-the-wild attacks exploiting the 
vulnerability have expanded to include XP users running IE 8, researchers 
from security firm FireEye reported Thursday. Previously, the IE attacks 
FireEye observed targeted only versions 9, 10, and 11 running on Windows 7 
and 8.

[...]

--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/