Update comes as in-the-wild attacks get meaner, target XP for first time.

Microsoft has released an emergency update for all recent Windows operating systems—including the recently decommissioned XP—fixing a critical security bug that is currently being exploited in real-world attacks.

The decision to patch XP underscores the potential seriousness of the vulnerability. Since it resides in versions 6 through 11 of Internet Explorer, the remote code-execution hole leaves an estimated 26 percent of Internet browsers susceptible to attacks that can surreptitiously install hacker-controlled backdoors when users visit a booby-trapped website. By some measures, 28 percent of the Web-using public continues to use the aging OS, which lacks crucial safety protections built into Windows 7 and 8.1. Thursday's release demonstrates the razor-thin tightrope Microsoft walks as it tries to wean users off a platform it acknowledges is no longer safe against modern hacks. While the XP fix may deprive some laggards of the incentive to upgrade, Microsoft also has a responsibility to prevent exploits that could turn large numbers of the Internet population into compromised platforms that attack others.

Attacks grow by “multiple, new threat actors”

The Microsoft patch comes as the in-the-wild attacks exploiting the vulnerability have expanded to include XP users running IE 8, researchers from security firm FireEye reported Thursday. Previously, the IE attacks FireEye observed targeted only versions 9, 10, and 11 running on Windows 7 and 8.

"We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting," Thursday's blog post from FireEye reported. "In addition to previously observed attacks against the defense and financial sectors, organization[s] in the government- and energy sector[s] are now also facing attack."

The Microsoft patch will be delivered automatically to anyone who has Windows configured to receive automatic updates. While there are a variety of settings users can manually make to prevent successful exploits on unpatched systems, people should install the update as soon as possible. Users should strongly consider upgrading to IE 11 and ensure that Enhanced Protection Mode—which is on by default—is in place. For those using apps that aren't compatible with IE 11, IE 10 with Enhanced Protected Mode is the next safest option. Those still using Windows XP should recognize that their OS choice is a danger to themselves and others, and they should take whatever steps are needed to switch to a safer platform.

"Microsoft no longer supports Windows XP, and the company continues to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1," company representatives wrote in an e-mail. "The threat landscape has changed, and attackers have become more sophisticated. Modern operating systems like Windows 7 and 8.1 have more safety and security features than older operating systems like Windows XP."

In a blog post that coincided with the Windows patch, Adrienne Hall, the general manager of Microsoft's Trustworthy Computing group, seemed to anticipate criticism that is likely to result from the decision to throw XP users a lifeline after more than a year of warnings that they would be on their own after the first week in April. She wrote:

Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we've decided to provide an update for all versions of Windows XP (including embedded) today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do.
According to FireEye, the security protections built in to Windows 7 and 8 require attackers to work much harder to successfully exploit the IE vulnerability. Among other things, the exploits must corrupt Adobe Flash vector objects to bypass a measure known as address space layout randomization. The process of bypassing mitigations in XP, by contrast, is much easier.

"This new tactic of specifically targeting those running Windows XP means the risk factors of this vulnerability are now even higher," FireEye researchers Dan Caselden and Xiaobo Chen wrote.

Ultimately, Microsoft's decision to blink and push a fix of XP users is on balance the right move. It eradicates what's arguably the most severe vulnerability threating the Internet at this moment rather than leaving large swaths of users vulnerable to remote code-execution attacks that are trivial to carry out. That said, the patch may embolden or at least remove an significant update incentive for people who continue to use XP. Either choice Microsoft could have made was likely to generate risks, not to mention blistering criticism.