Microsoft sticks to vow, leaves XP exposed to ongoing attacks

Microsoft sticks to vow, leaves XP exposed to ongoing attacks

Refuses to patch Internet Explorer bug that hackers are already exploiting

Hackers are exploiting an Internet Explorer (IE) vulnerability that was left unpatched in Windows XP on Tuesday, Microsoft and outside security experts said.

The bug, identified as CVE-2014-1815, was one of two Microsoft patched with a critical update issued Tuesday for IE6, IE7, IE8, IE9, IE10 and IE11. In the accompanying security bulletin, Microsoft noted that the vulnerability had been both known to hackers and used by them prior to yesterday's update.

"Microsoft is aware of limited attacks that attempt to exploit this vulnerability in Internet Explorer," the bulletin stated.

But because Windows XP exhausted its support privileges last month, users running the aged operating system did not receive the IE security update, as did owners of Windows Vista, Windows 7 and Windows 8 PCs.

Also on Tuesday, Microsoft reasserted that it has patched its last Windows XP bug. In the strongest signal yet that it will stick with its plan -- and that a May 1 emergency patch for IE on XP had been a one-time deal -- a company spokesman said, "The Windows XP end of support policy still remains in place moving forward."

Originally, Windows XP was bundled with IE6, but over the years users have upgraded to IE7 and then IE8, the five-year-old browser that is the newest from Microsoft able to run on XP. If XP was still supported, XP PCs would certainly have received the update.

"This is the first advisory that clearly would have applied to Windows XP," said Ross Barrett, senior manager of security engineering at Rapid7, in an email yesterday. "IE6, IE7 and IE8 are vulnerable on Windows [Server] 2003; this would historically have mapped to the same scope of XP patches, but not this time."

As Barrett noted, Microsoft's security bulletin listed Windows Server 2003 as affected by the vulnerability. The server software was patched Tuesday because its support lifespan runs until July 14, 2015.

CVE-2014-1815 is a classic "drive-by" vulnerability that can be triggered simply by duping IE users into visiting a malicious or compromised website. As soon as an unpatched Internet Explorer reaches such a site, the exploit leaps into action, immediately hijacking the PC and sticking malware on the hard drive.

Because IE6, IE7 and IE8 on Windows XP will not be patched, users will remain vulnerable to these sneaky attacks in perpetuity.

Most security professionals have urged people stuck on XP to switch to another browser, one that still receives updates: Google's Chrome, Mozilla's Firefox and Opera Software's Opera all fit that bill. According to research conducted by Computerworld, XP users can dramatically lower their risk by dumping IE.

Other vulnerabilities patched by Microsoft yesterday were also left unfixed in Windows XP. "We can assume that any vulnerability that [was] for Windows Server 2003 is applicable to XP as well. For this month, that means at least: MS12-029 (IE), MS12-024 (ASLR), and MS12-025 (Group Profile)," said Wolfgang Kandek, chief technology officer at Qualys, in an email.

Together, those three security updates patched four vulnerabilities out of the month's total of 13.

For people who cannot give up IE, Microsoft provided workarounds it said would help ward off attacks, including those aimed at the browser when it's running on Windows XP. However, the workarounds have negative side effects that may make some websites unusable, Microsoft warned. The security bulletin MS14-029 includes those workaround instructions.

Another stop-gap users can deploy is the Enhanced Mitigation Experience Toolkit (EMET), a free anti-exploit utility that works on Windows XP. EMET 4.1 can be downloaded from Microsoft's website.

CVE-2014-1815 was reported to Microsoft by Clement Lecigne, a security engineer who works for Google in its Swiss office.

Lecigne made news three months ago when he was awarded $10,000 by the Internet Bug Bounty (IBB), a new program funded by Facebook and Microsoft. IBB cut Lecigne the check for finding a critical vulnerability in Adobe's Flash Player. Lecigne donated the $10,000 to the Hackers for Charity non-profit.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags OriginMicrosoftWindowssoftwareMalware and Vulnerabilitiesoperating systems


Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments