Attacks/Breaches
5/1/2014
02:40 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Issues Emergency Patch for IE, Covers XP

Out-of-band fix for Internet Explorer zero-day flaw now available -- for XP, too.

That was fast: Microsoft today released an emergency patch for a previously unknown Internet Explorer vulnerability revealed over the weekend that was discovered being exploited by a cyber espionage group out of China. 

In a surprise twist, Microsoft included a patch for IE on Windows XP, the older operating system it no longer supports as of last month.

Microsoft was under pressure for a quick fix to the flaw (CVE-2014-1776), which came just after it ended support for Windows XP, prompting advice from UK and US CERTs for users to consider using alternative browsers until IE got its patch. The bug, a "critical" memory corruption vulnerability, according to Microsoft, was spotted being used in drive by web attacks. It affects IE versions 6, 7, 8, 9, 10, and 11, and basically allows an attacker to remotely run code on a targeted machine.

"The security of our products is something we take incredibly seriously. When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers," said Adrienne Hall, general manager for Microsoft Trustworthy Computing.

Hall said in a blog post that Microsoft decided to include a patch for IE on the Windows XP as well. She downplayed the worries about widespread attacks using the 0day, noting that the number of actual attacks were minimal. Hall said:

Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do.

IE 10 and 11 users that had the Enhanced Protection Mode in place by default were safe from exploits of the bug, as well as users running Microsoft's Enhanced Mitigation Experience Toolkit (EMET) versions 4.1 and 5.0.

The exploit spotted in the wild used a Flash exploitation method, and bypassed Microsoft's Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protections.

Trey Ford, global security strategist at Rapid7, applauded Microsoft's quick turnaround for the patch. Ford says:

Out-of-band updates are a big deal. Major vendors like Microsoft, Oracle, Adobe and others have highly structured software testing workflows that are expensive in terms of time and resources.  To interrupt a scheduled development cycle for an emergency patch, or out of band release is a noteworthy event where a vendor is placing the public good ahead of their development and delivery lifecycle. One thing particularly of interest is that Microsoft made the decision to issue this patch for Windows XP, which is no longer officially supported. I think this underscores the importance of this patch, and the priority with which it should be deployed. Corporate and private users should prioritize downloading (testing, where required by change controls) and deploying this patch.

Meanwhile, Microsoft's Hall noted that users with Windows Automatic Updates will automatically get the update. "If you are like most people, you have automatic updates turned on, and you’ll get this new update without having to do anything.  If you haven’t turned it on automatic updates yet, you should do so now.  Click the 'Check for Updates' button on the Windows Update portion of your Control Panel to get this going," Hall said.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
spitball
50%
50%
spitball,
User Rank: Apprentice
5/2/2014 | 6:21:24 PM
Re: Surprising twist, indeed.
It absolutely should not be a trend. XP is no longer supported and the fact that this was relaesed was extremely fortunate for the laggards who refuse to get off of XP. This didnt sneak up on anyone, these companies have had years to prepare for this, and to blame a few critical apps they just couldnt get off, is just lazy. You cannot exist for long on an unsupported OS. Next time choose software that doesnt pin you to a 13 year old OS and 9 year old browser.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
5/2/2014 | 4:44:37 PM
Re: Surprising twist, indeed.
@Marilyn Cohodas First of all Thanks! Cyber security is a shared responsibility, software vendors, governments and population must be aware of the risks related to the exploitation of zero-day flaws within products that are no more supported like WinXP. Security could not be considered a cost, the real cost is the one that must be paid by the collectivity in case of incidents.

I've really appreciated the choice of Microsoft to fix the flaw also for XP.

Let me suggest the read of my recent post on the topic ...

http://securityaffairs.co/wordpress/23771/hacking/windows-xp-deadline.html

In the post I proposed interesting statistics on the diffusion of XP that give us an idea on the possible impact of a vulnerability. I have also updated the graph to see the current diffusion of XP world wide ... the market share is nearly 15% ....

http://gs.statcounter.com/#desktop-os-ww-monthly-201405-201405-bar

We cannot leave 15% of machines vulnerable ... we cannot forget that the remaining 85% relies on their security because they share in many cases same networks ... they are everywhere, they surround us.
LucasZa
50%
50%
LucasZa,
User Rank: Apprentice
5/2/2014 | 1:58:14 PM
This casts a spotlight on Windows XP
From my AccessData blog post: This 0day exploit is just a preview of what's to come. When the next patch Tuesday rolls around May 13, Windows XP users will be left defenseless as attackers release exploits to take advantage of unpatched systems. With a 26.29 percent share of the desktop PC market, Windows XP is everywhere. Attackers seeking to compromise systems en masse can hardly wait. In fact, XP is installed on more PCs than Windows 8, Windows 8.1, and Windows Vista combined. As a security professional, I'm extremely frightened of the approaching storm. The sheer number of soon to be vulnerable XP systems combined with the level of attacker activity we're faced with will likely generate unprecedented events. For those of you still using Windows XP that cannot upgrade, I recommend reading my prior blog post for advice on how to mitigate the vulnerable state you'll be left in. I'll be sure to write more blog posts on attacker activity and mitigation techniques as events unfold.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
5/2/2014 | 10:16:07 AM
Re: Surprising twist, indeed.
I agree, seems as though there have been alot of emergency patches for one thing or another lately.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/2/2014 | 10:11:02 AM
Re: Surprising twist, indeed.
@securityaffairs -- You make a great point about how much the threat landscape has changed in the years since XP has been in service. It raises a really good question about how long a company like Microsoft should support end-of-life products in the area of security. Given how embedded XP still is, I would think that ongoing patching is one area that should be continued, as they are doing with the Explorer bug
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
5/2/2014 | 10:00:23 AM
Re: Surprising twist, indeed.
The real problem is that similar problems will reoccur frequently. Unfortunately, to date XP is still extremely prevalent in many areas, let's think of the bank and the industrial control systems, these areas are particularly critical and a massive migration to other OSs is not so easy ... paradoxically, these areas are the main targets of cyber criminals and state-sponsored hackers.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
5/1/2014 | 4:02:29 PM
Re: Surprising twist, indeed.
It was a relatively fast turnaound for a bug that Microsoft is saying was not being widely abused. And it was especially diligent of Microsoft to include XP in this patch. 
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
5/1/2014 | 3:37:02 PM
Surprising twist, indeed.
Glad that Microsoft did the right thing and included XP in the patch. Hope it signifies a trend...
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2006-1318
Published: 2014-09-19
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability."

CVE-2012-2588
Published: 2014-09-19
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.

CVE-2012-6659
Published: 2014-09-19
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-1391
Published: 2014-09-19
QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding.

CVE-2014-3614
Published: 2014-09-19
Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets.

Best of the Web
Dark Reading Radio