XP users set to miss out on IE patch

XP users set to miss out on IE patch

Summary: As Microsoft grapples with the latest Internet Explorer security issue, users of its now unsupported, but still popular, Windows XP will be bypassed by the fix.


Update: On May 1, Microsoft issued a patch for Windows XP

Microsoft is scrambling to repair a security hole in its widely used Internet Explorer web browser, saying it had detected attempts to exploit the flaw.

The US software giant said in a blog post the coding problem affected versions six through 11 of its flagship browser, noting it was aware of "limited, targeted attacks" taking advantage of the newly discovered flaw.

The exploit uses Flash and a technique called heap feng shui, which Microsoft says can allow an attacker who successfully exploits the vulnerability to gain the same user rights as a user.

"The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer," Microsoft said on its security website on Saturday.

"An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website."

Cybersecurity firm FireEye, which took credit for identifying the flaw, said hackers were exploiting the bug in a campaign nicknamed "Operation Clandestine Fox."

Users still relying on Windows XP could be especially vulnerable because Microsoft stopped earlier this month supporting the older operating system with security patches and other software updates.

Despite the end of support for Windows XP being signalled by Microsoft for some time, and the software giant advising users to move to the more modern Windows 7 or Windows 8 versions of its operating system, Windows XP still enjoys a global market share of almost 29 percent, according to NetMarketShare.

Late last week, it was revealed that Microsoft was part of a consortium of tech giants that signed up to establish the Core Infrastructure Initiative, which will help secure and fund critical open source projects that are under-funded, of which OpenSSL will be the first.

Earlier this month, the Heartbleed flaw in OpenSSL saw everyone from website operators and bank officials to casual internet surfers and governments being told their data could be in danger.

Heartbleed allowed hackers to snatch packets of data from working memory in computers, creating the potential for them to steal passwords, encryption keys, or other valuable information.

Topics: Security, Microsoft, Windows


Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • People using Internet Exploder

    with XP are asking for problems, and show a very special kind of stupidity.

    Normally, I'd say getting the word to them is a good thing, but, as many times as it has been stated before, it is certain that one more time will not induce change. These people are of the "hard learner" variety, and it appears nothing short of a system lost due to exploits in IE will get them to use a different browser.
  • could even make one wonder...

    If Microsoft sat on this one until after the "last update" deliberately...
    • Doubt it, it is inevitable.

      @jesse I doubt it.
      There are 10's of thousands of developers whose paid full time job is to look for exploits, especially in Russia + E Europe, China + S.E Asia & Sth America.
      It would just be a matter of time.
      People running older computers tend to be computer illiterate & are especially vulnerable to socially engineered attacks such as this one.
      Microsoft would not want to see these people get attacked. As we saw with Heartbleed they will get blamed even if they had nothing to do with the issue.
      The other "most vulnerable" group are those who think they are safe because they use a Mac or Linux O/S. Complacency is a killer.
    • Umm, yep

      Also, MS will be working overtime to discover new exploits that affect IE versions -10.0 thru 20.99 to scare people into upgrading.

      The ironic part of this strategy is: it won't work. XP users who haven't upgraded by now never will. The result is the internet will become a giant bot. And it will be MS's fault. Thanks Bill.
    • I'd say it's MUCH more likely

      that criminals have been sitting on exploits over the past several months waiting for the end of support to come. Now that it has, be prepared for a whole slew of them to come out in very short order.
      • Gawd....

        No. There is *zero* evidence for that. That's just hard core MS trollspeak.
  • This was expected

    At some point idiots using XP and to some extent IE will have to realize that no matter what Microsoft does to IE it still has too many ties to the OS. When Ballmer made a commitment to improve security he should have set a path to expunge IE from Windows completely. Instead they choose a path of adding more resistance such as Protected Mode and then Enhanced Protected mode. Which by the way also helps protect against this kind of attack. But it also breaks sites and many defeat Protected Mode because of this. Taking a path of isolation from the OS would have been better and yes many in Enterprise would complain, but then again they could still use XP as they are now. As much as Microsoft tries to make upgrading the OS a painless processes. You still have plenty of idiots clinging to the decade old XP. Microsoft did the right thing by leaving them to fend for themselves.
  • Why mention Core Infrastructure initiative and Heartbleed, Chris?

    I'm not following your logic flow - how do those tie in?
  • XP users set to miss out on IE patch

    Microsoft Windows XP is no longer supported and everyone is aware of that by now. They know they aren't going to get the patch. Its a good time to upgrade to Microsoft Windows 8 if they want to get patches.
    • No, that would just be gross oversimplification

      because, as of now, those people running Windows 8.x are vulnerable, if they use Internet Exploder. The best thing to do is find another browser, leaving Internet Exploder forever, as no matter how much Microsoft says they'll do better, their efforts are all for naught, as they 1] keep making the same mistakes in programming over and over, and 2] the hatred of Microsoft makes Internet Exploder the favorite target of every hacker on the planet.
  • Re: XP users set to miss out on IE patch....

    Are you really that surprised? Microsoft have stopped supporting XP.

    Apple no longer support OS X Snow Leopard hence it still has Safari 5.
  • Use Chrome

    or don't use the Internet at all, if possible. Problem solved.
  • Remember when MS stopped supporting IE upgrades to XP?

    Way back in 2010. IE8 was the highest version that you could put on XP, and that dates back to 2009. If you've been using IE8 all this time instead of the likes of Firefox or Chrome, you deserve to be infected.
    • Or Microsoft deserves some blame, for not updating the browser for those

      dyed-in-the-wool users, who will not switch, no matter the consequences.
  • Any of you recall a patch in January or February 2014...

    that repaired some old code? The odd part, which was largely ignored, is that the patch also sent repairs to Windows 2000.

    What? Wait... What? A patch that worked on Windows 2000, the abandoned predecessor to XP? What black magic is afoot here?

    If this old IE code can be repaired in such a way that XP can deploy it without extra work on Microsoft's part, then it will be available to XP. Remember what Microsoft said earlier when trying to divert panic while instilling panic - a global fix may still reach XP. Nowhere in any of these articles was Microsoft quoted as saying XP will not be fixed.

    This issue is IE-related; the same code carried on from the days of IE 6 right on through the new systems waiting to be sold. The same embedded IE code native to Windows for over a decade. If that module is shared throughout all Windows versions then it is possible to repair it in XP without batting an eye.

    Let's concentrate on the issue and drop this XP bashing; it will only lead to an influx of Linux ravers.
  • Moving from XP

    Moving off of Windows XP isn't about Microsoft making money. Its about moving to new technology that's better and more secure. Windows 7 is the new Windows XP and its a lot better in so many ways than Windows XP is.
    Pollo Pazzo
  • XP Bashers beware what goes around comes around !!

    Have any of you thought of the "poor people" who saddled with this governments fiscal policies can't afford to upgrade to a newer version of Windows. Before you start wittering on about Mozilla and Chrome they are not the same, and terrify newbies and occasional users with the consequence that the techies like me have to spend inordinate amounts of time teaching them new browsers both at home and at work. Yes I did say work, for the same reasons as stated above SME's don't have the funds for upgrades OR training or both.

    So BACK OFF people who are quick to criticise and call others who can't defend themselves idiots etc. It may be your turn one day.
  • This Is No Longer True

    This article needs to be updated. The author made an assumption without official verification: http://www.zdnet.com/xp-users-set-to-miss-out-on-ie-patch-7000028820/?s_cid=e589&ttag=e589&ftag=TREc64629f
    • Link Correction

      XP is being patched: http://www.zdnet.com/microsoft-issuing-fix-for-ie-zero-day-today-7000029001/?s_cid=e589&ttag=e589&ftag=TREc64629f
  • IE Patch for Windows XP

    Just got this in from Microsoft....
    An emergency out-of-band update will be released at 1PM Thursday for the bug in Internet Explorer being exploited in the wild.. Indications are that Windows XP will be patched.