Microsoft fixes IE zero-day flaw

Windows XP users will receive the patch, even though Microsoft ended support for the OS about 3 weeks ago

Microsoft has issued a patch for an Internet Explorer zero-day flaw being actively exploited by malicious hackers and that was first identified Saturday .

The flaw, which affects IE 6 through IE 11, could allow attackers to execute code remotely on a compromised computer if the user views an infected web page using the browser.

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user," reads the security bulletin.

The flaw is rated Critical, the most severe rating in Microsoft's security categories. The most likely scenario for victimizing users with this flaw is the distribution by attackers via email and IM messages of links to malicious websites.

The patch will be automatically downloaded and installed in Windows computers configured to receive software updates from Microsoft. Users who don't get these automatic updates are advised to install this patch manually right away.

Although Windows XP users aren't supposed to get this type of patch delivered to them anymore, since support for the OS ended on April 8, Microsoft is making an exception and pushing out this update to them as well.

"The security of our products is something we take incredibly seriously. When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers," Adrienne Hall, general manager, Microsoft Trustworthy Computing, said in a statement.

However, the decision shouldn't be taken to mean that Microsoft will routinely include XP users in its security updates, according to IDC analyst Al Gillen. For starters, in this case the flaw affects IE, not XP, so Microsoft isn't fixing the OS itself, he said.

"I do not see this as Microsoft caving in on the end-of-support decision around Windows XP," Gillen said via email.

In a blog post about the patch, Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing, reiterated that XP is no longer supported and that "we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1" and to IE 11, the latest version of the browser.

Juan Carlos Perez covers enterprise communication/collaboration suites, operating systems, browsers and general technology breaking news for The IDG News Service. Follow Juan on Twitter at @JuanCPerezIDG.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies