Microsoft fixes IE zero-day flaw

Windows XP users will receive the patch, even though Microsoft ended support for the OS about 3 weeks ago

Microsoft has issued a patch for an Internet Explorer zero-day flaw being actively exploited by malicious hackers and that was first identified Saturday .

The flaw, which affects IE 6 through IE 11, could allow attackers to execute code remotely on a compromised computer if the user views an infected Web page using the browser.

[ Safeguard your browsers; InfoWorld's experts tell you how in the "Web Browser Security Deep Dive" PDF guide. | Cut to the key news for technology development and IT management with the InfoWorld Daily newsletter, our summary of the top tech happenings. ]

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user," reads the security bulletin.

The flaw is rated Critical, the most severe rating in Microsoft's security categories. The most likely scenario for victimizing users is the distribution by attackers via email and IM messages of links to malicious websites.

The patch will be automatically downloaded and installed in Windows computers configured to receive software updates from Microsoft. Users who don't get these automatic updates are advised to install this patch manually right away.

Although Windows XP users aren't supposed to get this type of patch delivered to them anymore, since support for the OS ended on April 8, Microsoft is making an exception and pushing out this update to them as well.

"The security of our products is something we take incredibly seriously. When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers," Adrienne Hall, general manager, Microsoft Trustworthy Computing, said in a statement.

However, the decision shouldn't be taken to mean that Microsoft will routinely include XP users in its security updates, according to IDC analyst Al Gillen. For starters, in this case the flaw affects IE, not XP, so Microsoft isn't fixing the OS itself, he said.

"I do not see this as Microsoft caving in on the end-of-support decision around Windows XP," Gillen said via email.

In a blog post about the patch, Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing, reiterated that XP is no longer supported and that "we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1" and to IE 11, the latest version of the browser.

Meanwhile, Hall called the gesture to XP users an "exception" because support for the OS ended very recently. "Just because this update is out now doesn't mean you should stop thinking about getting off Windows XP," she wrote in a blog post.

She said there have been "a very small number of attacks" from the flaw and called concerns about the danger "overblown."

However, Gartner analyst Michael Silver said he wouldn't be surprised if Microsoft comes to the rescue of XP users again in the next six months if another serious flaw crops up. "Microsoft is walking a fine line of protecting people while not upsetting organizations that did the right thing and moved on time," he said via email.

Windows XP is still used on just over a quarter of all desktops, according to Net Applications.

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

Copyright © 2014 IDG Communications, Inc.

How to choose a low-code development platform