Microsoft fixes Internet Explorer flaw with out-of-band patch, XP included

Microsoft has released an out-of-band fix for the recently disclosed Internet Explorer flaw, including a patch for Windows XP.

Microsoft sign
Credit: bfishadow

Microsoft has released an out-of-band fix for the recently disclosed Internet Explorer flaw that is being actively targeted online. Moreover, they've issued a fix for users that are still on Windows XP; despite the fact the operating system is no longer supported.

The vulnerability was confirmed last weekend, when Microsoft, after acting on a notification from researchers at FireEye, launched an investigation into reports of attacks targeting a flaw in their browser.

At the time, attackers were targeting a user-after-free vulnerability in IE 9 through 11, but as it turned out, the issue impacted all versions Internet Explorer.

Compounding the problem, is that once exploited, attackers leveraging the vulnerability would be able to bypass ASLR and DEP protection in order to gain code execution rights equal to those of the currently active user.

Commenting on their findings, FireEye said that the actors behind the attacks has had access to "a select number of browser-based 0-Day exploits in the past."

In addition, the security firm said that this particular vulnerability was significant due to the reach it had in the public. The versions of Internet Explorer that were being targeted represented 25 percent of the Web in 2013.

"The security of our products is something we take incredibly seriously. When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers," Microsoft's Adrienne Hall said in a prepared statement.

However, given the wide impact, the public's concern was that while Microsoft would eventually issue a fix for this issue, users on Windows XP would be left in the cold.

But, as it turns out, Microsoft wasn't going to ignore those users.

"We have made the decision to issue a security update for Windows XP users," Dustin Childs, Group Manager for response communications at Microsoft wrote in a blog post.

While that is the good news, it's best to see this as an act of grace from Microsoft, a one time show of support, and one that's unlikely to become the norm, regardless of how bad the next vulnerability is.

"I don’t think that's a luxury that users who aren't paying for extended support can enjoy for much longer," Trey Ford, Global Security Strategist at Rapid7, said when asked if XP would see regular patching for critical vulnerabilities such as this.

Either way, the next batch of fixes from Microsoft weren't due until May 13, so today's patch release shows just how serious the Internet Explorer bug truly was.

"Out of Band updates are a big deal. Major vendors like Microsoft, Oracle, Adobe and others have highly structured software testing workflows that are expensive in terms of time and resources. To interrupt a scheduled development cycle for an emergency patch, or ‘out of band’ release is a noteworthy event where a vendor is placing the public good ahead of their development and delivery lifecycle," Ford added.

Microsoft restated their position that Windows XP is no longer supported, encouraging those still on the older operating system to update to a more modern version of Windows, and to update their version of Internet Explorer to version 11.

For those manually updating their installations, Microsoft has published the patch online, and encourages users to apply it immediately. Those with automatic updates will have the patch shortly.

If patching immediately isn't an option, using EMET or disabling VGX.DLL are viable workarounds until the patch can be applied.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.