Microsoft plans to patch critical under-attack IE bug next week
- 06 March, 2014 21:01
Microsoft today announced it will deliver five security updates to customers next week, two tagged as "critical," including one that will quash the open vulnerability in Internet Explorer (IE) that hackers have been exploiting since January.
Four of the five updates will affect Windows XP, the nearly-13-year-old operating system that Microsoft plans to retire from patch support on April 8. After next week's Patch Tuesday, Microsoft has just one more chance to fix flaws in the aged OS before it pulls the plug.
One of the two critical updates patches all versions of IE, including the even-older-than-XP IE6, as well as the newest IE11, which runs only on Windows 7, Windows 8 and Windows 8.1.
On the client editions of Windows, the IE fix -- dubbed "Bulletin 1" in today's advance notification -- was rated critical, Microsoft's most serious threat rating, for all versions of the browser.
Two weeks ago, Microsoft confirmed at least one vulnerability in IE9 and IE10 after security company FireEye found attacks targeting current and former U.S. military personnel who visited the Veterans of Foreign Wars (VFW) website. Another security vendor, Websense, reported that it had found an exploit leveraging the same IE bug on the website of a French aerospace association, GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales), whose members include defense and space contractors.
Websense cited evidence that exploits had been in circulation as early as Jan. 20, 2014.
Later, Aviv Raff, chief technology officer at security firm Seculert, contended that the attacks uncovered by FireEye and Websense were the work of two hacker groups.
Although Microsoft today continued to characterize the attacks as limited in scope, Symantec begged to differ last week. The California antivirus vendor said its telemetry showed that attacks against IE were "expanding to attack average Internet users" at the time.
Three other Windows updates will affect XP, one rated critical and the other pegged as "important" on Microsoft's four-step scoring system. Bulletin 2, the update marked critical, could be used by attackers to hijack a PC running any flavor of Windows, including XP, except for Windows RT, the scaled-back touch-first sibling that powers Microsoft's Surface RT and Surface 2 tablets.
The updates for Windows XP, including the one for IE6, IE7 and IE8, the browsers that run on the aged platform, will likely get much of the attention next week as XP will then be just one month from retirement. After April 8, Microsoft will not ship patches for known XP vulnerabilities, even critical flaws, to the general public. It will, however, provide critical updates to major customers who have paid for an extra-extended form of support, which costs about $200 per PC for the first year of coverage, then climbs each additional year.
Microsoft has invested significant messaging resources in urging customers to abandon XP for a newer OS, including a misguided appeal to the more technically-astute to help friends and family ditch XP.
So far, the Redmond, Wash. company's efforts have not paid off as it had hoped: Metrics company Net Applications said earlier this week that XP powered 29.5% of the world's personal computers in February.
The two remaining Windows updates were rated important by Microsoft, which said that one could be used by hackers to obtain additional access rights while the other could be exploited to bypass an unnamed security feature or technology within the operating system.
The fifth update, also judged important, will patch Silverlight 5, a Microsoft-made framework that once tried to take on Adobe Flash in the market and on the Web.
Silverlight 5 is the most-recent version of the framework and its multimedia player plug-in, released in late 2011. Microsoft has committed to supporting Silverlight through 2021, but has stopped further development on the technology, which remains important on Windows Phone if little else.
Microsoft will release next week's security updates on March 11 around 1 p.m. ET.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.