IE 0day and Windows XP: Microsoft’s tough decision

Microsoft had to deal with a new less-than-pleasant vulnerability in Internet Explorer browser, which affected all of its versions starting with IE6 in all of its operational systems including the

Microsoft had to deal with a new less-than-pleasant vulnerability in Internet Explorer browser, which affected all of its versions starting with IE6 in all of its operational systems including the recently ‘discarded’ Windows XP. Microsoft had to make a tough choice. And it did.

As we all know, as of April 8th, 2014 Windows XP has ‘officially’ gone off into the sunset: it’s no longer supported by Microsoft. Just before this happened, many voices were predicting doom, and, frankly, there was at least some merit in their arguments. Windows XP may have been discarded by Microsoft, but there are still millions of people using it, which means that malware writers and hackers are going to look hard for new bugs and vulnerabilities to exploit. Without technical support from Microsoft, there will be no new patches for these bugs, so they can be exploited indefinitely, and this is actually a threat to everyone, not just Windows XP aficionados.

Now it looks like those doom-spellers were right: it didn’t take long before a new bug affecting Windows XP was discovered: a vulnerability present in all, more or less, current versions of Internet Explorer.

On April 26, 2014, Microsoft notified its customers of a vulnerability in Internet Explorer along with a zero-day exploit that has already been used in the wild – in “limited, targeted attacks”. Apparently, it was FireEye that discovered those attacks in the first place.

According to FireEye’s data, the initial attack targeted users of IE versions 9, 10, and 11 on Windows 7 and 8, although the vulnerability actually affected all versions of IE from 6 to 11. It really didn’t take long before a new version of the exploit was discovered, this time targeting Windows XP machines running Internet Explorer 8.

There is a large amount of technical data on the vulnerability itself. In short, by convincing a user to view a specially crafted HTML document attackers are able to execute an arbitrary code in the system. According to CERT’s description, “the Internet Explorer vulnerability is used to corrupt Flash content in a way that allows ASLR to be bypassed via a memory address leak. This is made possible with Internet Explorer because Flash runs within the same process space as the browser.” CERT also acknowledges that exploitation without the use of Flash may be possible, even though disabling a Flash plugin in IE is one of the workarounds for the problem.

In other words it isn’t a pleasant situation: The U.S. Department of Homeland Security even advised not to use Internet Explorer until the patch is in place.

Microsoft found itself in hot water with this. The company had a tough choice: to stick to its earlier decision to cease Windows XP support and tell its (millions of) remaining users to help themselves and to upgrade at last, or give them a hand – as a contingency measure.

In any case it was going to get slammed for either leaving millions of users in the cold or for indulging people who do nothing to protect themselves.

Microsoft corporation chose the latter: “as an exception” it patched the vulnerability in all affected versions of Internet Explorer, providing an update for all versions of Windows XP too.

640

And it got slammed for that, just as expected: “The decision to release this patch is a mistake,” said Ars Technica, saying that such one-off “exceptions” do not make Internet Explorer on Windows XP any safer. Instead it makes a false impression that it’s okay to keep going with Windows XP. IT people who knew they needed to migrate (and needed a budget for this) kept telling their superiors that Microsoft wasn’t going to provide any patches beyond April 8th. Now they are in the hot water too, because, from a business owner’s point of view, if there was one “exception” why shouldn’t there be another? And another? Why, again, can’t Microsoft just extend the Windows XP support further infinitely?

Microsoft chose to help out Windows XP users too, and got slammed for this.

“The job of migrating away from Windows XP just got a whole lot harder,” Ars Technica said. And for good reason.

This situation is indeed a thought-provoking one. Windows XP has been around for too long, and because of this, has had too many things go wrong. Microsoft, after years of preparations, warnings and admonitions, finally axed Windows XP support… and almost immediately released a new patch – along with explanations:

“Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown.  Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously.  We absolutely do,” said Adrienne Hall, General Manager for Trustworthy Computing department at Microsoft.

Maybe we should thank Microsoft for their concern, but then again, maybe not.

Microsoft keeps trumpeting the fact that people need to move away from Windows XP for security reasons, but acts as if there’s no hurry at all.

As for this IE vulnerability and its 0day exploits, there are multiple sophisticated protection technologies in Kaspersky Lab products that are designed specifically to block even unknown threats such as zero-day exploits. Automatic Exploit Prevention is one of these technologies. And now we can confirm that newly discovered exploits for this IE vulnerability are successfully detected and blocked out by our solutions, so our customers are safe.

We fully understand that it will take time for Windows XP to go away completely. The sooner it happens, the better: migration from Windows XP is a necessary security measure. But still we will continue support for Windows XP in our products until 2016.

Tips