Yesterday, Microsoft posted KB 2847140, a temporary fix for a zero-day first reported at the end of April by security firm Invincea, when it noted that the U.S. Department of Labor website "was compromised to re-direct visitors to a website that in turn executed a drive-by download exploit of IE8 in order to install the Poison Ivy backdoor Trojan." This so-called watering-hole attack, which only affects those running Internet Explorer 8, was apparently directed at Department of Energy employees dealing with nuclear-related illnesses. AlienVault says that the attack's Command & Control "protocol matches with a backdoor used by a known Chinese actor called DeepPanda." I haven't heard of any problems with the patch; presumably the change will be officially released as part of the next Black Tuesday bunch.
The exploit was straightforward enough for the Metasploit team to add it to its free penetration testing tool on May 5. Thus, the zero-day was not only in the wild, it was readily available to all and sundry on May 5. Why did it take so long for Microsoft to issue the fix? It has a lot to do with not just the browser, but with our old friend, Windows XP.
Let's start with IE8. According to the latest Net Applications report (which should be taken with a truckload of salt), IE8 is the most frequently used browser in the world, with a 23 percent market share. That's far ahead of IE9 and four times as much as IE10.
The reason so many copies of IE8 are rolling around is simple: If you have Windows XP, you can't install -- much less use -- IE9. Yes, some proportion of Vista and Win7 users are too lazy (or too intimidated) to upgrade to IE9. But the really damning indictment about IE8 is that Microsoft consciously, intentionally, decided it would not build a version of IE9 to run on Windows XP.
Microsoft refused to build IE9 for XP because IE9's graphics hardware acceleration routines require Direct2D and DirectWrite DirectX APIs -- which are missing in XP.
If that sounds like technical mumbo-jumbo retrofitted to support a marketing decision, you hit the nail on the head. IE9 is fully capable of running at a more leisurely pace without Direct2D and DirectWrite APIs. It's just that somebody upstairs decided they didn't want to prolong the XP agony by giving it a better browser.
The bottom line is what you see today: A very large percentage of the world runs Windows XP, and they're all stuck with the security holes in IE8, due to a bogus design decision made three years ago. Golly, what a good way to convince people to pay for a newer version of Windows.
Ah well, be of good cheer. Mozilla builds Firefox 20 to work on Windows XP SP3. Google builds Chrome 26 to work on Windows XP SP3. One has to wonder why Microsoft can't build IE9 (or IE10) to run on Windows XP.
This article, "Microsoft KB 2847140 patch exposes rift between IE8 and Windows XP," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.