Zero-Day IE Flaw Highlights The Danger Of Lingering Windows XP Market Share

If you are reading this in Internet Explorer, you should probably close it and fire up Chrome — and come back after a newly reported zero-day flaw is patched. Even the U.S. and U.K. governments are warning against use of Internet Explorer for now. The zero-day flaw has been uncovered in Internet Explorer versions 6,7, 8, 9, 10, and 11, according to Microsoft. Those browser versions comprise around 50 percent of the global browser market, the BBC notes.

Microsoft proposes a number of mitigatory measures that can be taken, but for now I’d just sit out the Internet Explorer game. Microsoft has made large strides with Internet Explorer in the past few years, so to see the company admit to a stinging security flaw even in the latest Internet Explorer 11 that ships with the current Windows 8.1 is somewhat disappointing.

The flaw allows for “remote code injection,” which is quite nasty. Microsoft states that it is
“aware of limited, targeted attacks that attempt to exploit [the] vulnerability.” So this is hot and live. The flaw “exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.” 

You don’t need to understand the technical details to get the picture, of course.

Here’s why it’s even worse than you might think: Windows XP won’t be patched, given that Microsoft has put it out to pasture. That means the remaining folks on Windows XP are at a now much greater risk than before. We knew this was coming.

Here’s Ars Technica’s Peter Bright earlier this year:

And while Firefox and Chrome will both be supported on Windows XP beyond the end-of-life, the substantial number of people using Internet Explorer 6-8 is strongly suggestive that many of these Windows XP users are going to be using not just an unsupported operating system, but an unsupported browser, too.

Exploitation of these people is inevitable, and it’s hard to see this ending well.

Ding ding ding.

Here’s what Microsoft is promising to do:

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Security-types are wringing their hands, as expected. Here’s Qualys’s Wolfgang Kandek:

Windows XP users – this happened a bit quicker than I expected but it is a sign of things to come: the vulnerability applies to Windows XP, IE6, IE7 and IE8 are listed as affected and attackers will soon adapt the exploit to work against these older versions of IE as well. Since you will not get a patch for your operating system, deregistering the DLL will be your best option to defend your systems. BTW, Microsoft still lists IE6, IE7 and IE8 in these advisories because they run under Windows 2003, which has another year of support left in it.

It’s time to get off Internet Explorer for now and Windows XP forever.

Update: Microsoft sent over a comment regarding the situation:

“On April 26, 2014, Microsoft released Security Advisory 2963983 to notify customers of a vulnerability in Internet Explorer. At this time we are aware of limited, targeted attacks. We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalized. Our investigation has revealed that Enhanced Protected Mode, on by default for the modern browsing experience in Internet Explorer 10 and Internet Explorer 11, as well as Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0 Technical Preview, will help protect against this potential risk. We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalized.”