Microsoft Issues Patch for Internet Explorer, Has Mercy and Includes Fix for XP Users Also

A recently discovered bug in Internet Explorer was deemed so critical that the Department of Homeland Security had been advising everyone to use alternate browsers due to the warnings about the major vulnerability in all versions of the browser. There had been no indication of how soon Microsoft would issue a security fix for it. Much to our surprise today, Microsoft did issue a security fix, and also included one for users of Windows XP, for Internet Explorer versions 6, 7, and 8. The update to fix the vulnerability began appearing in Windows updates this morning, and is for all versions of Internet Explorer. Although the vulnerability existed in versions IE6 through IE11, the exploit was targeting versions IE9 and higher.

In their blog post, Microsoft stated, "The security of our products is something we take incredibly seriously, so the news coverage of the last few days about a vulnerability in Internet Explorer (IE) has been tough for our customers and for us. We take a huge amount of pride that, among widely used browsers, IE is the safest in the world due to its secure development and ability to protect customers, even in the face of cybercriminals who want to break it.

This means that when we saw the first reports about this vulnerability we said fix it, fix it fast, and fix it for all our customers. So we did. The update that does this goes live today at 10 a.m. PDT."

The vulnerability that was discovered over the weekend, and prompted the warning by the DHS, was discovered by FireEye, a computer security company. FireEye had reported that they noticed numerous attacks on U.S. companies due to a vulnerability in Internet Explorer. If the attacks were successful, they could easily force a computer to run any malicious code chosen by the attacker, which could then send spam or extract data. FireEye indicated that threat actors had been actively using the exploit in an ongoing campaign which they named "Operation Clandestine Fox."

Many people are questioning why Microsoft decided to also fix the issue for Windows XP after ending support on April 8th. Microsoft noted that this vulnerability coincided with the end of support for Windows XP, and stated, "Of course we’re proud that so many people loved Windows XP, but the reality is that the threats we face today from a security standpoint have really outpaced the ability to protect those customers using an operating system that dates back over a decade. This is why we’ve been encouraging Windows XP customers to upgrade to a modern, more secure operating system like Windows 7 or Windows 8.1.

Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do."

Microsoft has agreed to continue Windows XP support for numerous organizations that have been willing to pay for it through April of 2015, and they are well aware of the market share of users still on XP operating systems using older IE browsers. It seems wise on their part to address this major vulnerability for all versions of Internet Explorer knowing that it could very easily have caused massive network infections if they didn’t.

If you are someone who does updates manually, be sure to get the one issued today, and if you are an XP user who has perhaps turned off the Windows Updates knowing support had ended, you’ll want to enable that again for this fix.

Will XP ever really die? That remains to be seen, and it’s not likely that Microsoft will be so willing to issue fixes like this for future vulnerabilities for XP users, but that also remains to be seen.