Hackers are exploiting an Internet Explorer (IE) vulnerability that was left unpatched in Windows XP on Tuesday, Microsoft and outside security experts said.
The bug, identified as CVE-2014-1815, was one of two Microsoft patched with a critical update issued Tuesday for IE6, IE7, IE8, IE9, IE10 and IE11. In the accompanying security bulletin, Microsoft noted that the vulnerability had been both known to hackers and used by them prior to yesterday's update.
[ Windows 8 left you blue? Then check out Windows Red, InfoWorld's plan to fix Microsoft's contested OS. | Want a new PC? InfoWorld picks the 12 best Window 7 PC models available today. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]
"Microsoft is aware of limited attacks that attempt to exploit this vulnerability in Internet Explorer," the bulletin stated.
But because Windows XP exhausted its support privileges last month, users running the aged operating system did not receive the IE security update, as did owners of Windows Vista, Windows 7 and Windows 8 PCs.
Also on Tuesday, Microsoft reasserted that it has patched its last Windows XP bug. In the strongest signal yet that it will stick with its plan -- and that a May 1 emergency patch for IE on XP had been a one-time deal -- a company spokesman said, "The Windows XP end of support policy still remains in place moving forward."
Originally, Windows XP was bundled with IE6, but over the years users have upgraded to IE7 and then IE8, the five-year-old browser that is the newest from Microsoft able to run on XP. If XP was still supported, XP PCs would certainly have received the update.
"This is the first advisory that clearly would have applied to Windows XP," said Ross Barrett, senior manager of security engineering at Rapid7, in an email yesterday. "IE6, IE7 and IE8 are vulnerable on Windows [Server] 2003; this would historically have mapped to the same scope of XP patches, but not this time."
As Barrett noted, Microsoft's security bulletin listed Windows Server 2003 as affected by the vulnerability. The server software was patched Tuesday because its support lifespan runs until July 14, 2015.
CVE-2014-1815 is a classic "drive-by" vulnerability that can be triggered simply by duping IE users into visiting a malicious or compromised website. As soon as an unpatched Internet Explorer reaches such a site, the exploit leaps into action, immediately hijacking the PC and sticking malware on the hard drive.
Because IE6, IE7 and IE8 on Windows XP will not be patched, users will remain vulnerable to these sneaky attacks in perpetuity.
Most security professionals have urged people stuck on XP to switch to another browser, one that still receives updates: Google's Chrome, Mozilla's Firefox and Opera Software's Opera all fit that bill. According to research conducted by Computerworld, XP users can dramatically lower their risk by dumping IE.