Microsoft released an out-of-band patch today for an Internet Explorer zero-day flaw, which was already being exploited in the wild. Surprisingly, Microsoft opted to release a patch for Windows XP, which officially ended support earlier this month.
Microsoft disclosed the zero-day vulnerability (CVE-2014-1776) in all versions of Internet Explorer, from IE 6 to IE 11, on Saturday and urged users to use another Web browser until the issue could be patched. The issue affected all different Windows operating systems, from the no-longer-supported Windows XP to the latest, Windows 8.1. The flaw could result in remote code execution simply by the user browsing to a compromised Website, Microsoft said.
“The security of our products is something we take incredibly seriously. When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers,” Adrienne Hall, general manager of Microsoft Trustworthy Computing, said in a statement.
Windows Update will download the patch for users set up to receive automatic updates. Since XP is no longer supposed to receive updates because it entered end-of-life on April 8, users will need to manually kick off Windows Update to receive the fix.
“Run Windows Update if you are using a Windows system, and cheers to Microsoft response for delivering this patch to their massive user base quickly,” said Kurt Baumgartner, a senior security researcher with Kaspersky Lab.
Microsoft doesn’t issue many out-of-band updates, preferring to stick with its scheduled monthly Patch Tuesday releases. As a result, “out-of-band updates are a big deal,” and shows the company is “placing the public good ahead of their development and delivery lifecycle,” said Trey Ford, a global security strategist with Rapid7.
The fact that Microsoft decided to issue the patch XP anyway despite the fact it is no longer supported underscores the importance of this patch, Ford said.
When Microsoft first disclosed the flaw, it urged users to use a different Web browser until the issue could be fixed. The exploit in the wild was using Flash Player to trigger the flaw in IE, so users were encouraged to disable the Flash Player plugin in IE. IE10 and 11 users were encouraged to run the browser in “Enhanced Protected Mode,” which restricts the type of code that can be executed. Users were also encouraged to download and install Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including iPCMag.com where she is a networking and security analyst. She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products.