http://arstechnica.com/security/2014/05/emergency-patch-for-critical-ie-0day-throws-lifeline-to-xp-laggards-too/
By Dan Goodin
Ars Technica
May 1, 2014
Microsoft has released an emergency update for all recent Windows
operating systems—including the recently decommissioned XP—fixing a
critical security bug that is currently being exploited in real-world
attacks.
The decision to patch XP underscores the potential seriousness of the
vulnerability. Since it resides in versions 6 through 11 of Internet
Explorer, the remote code-execution hole leaves an estimated 26 percent of
Internet browsers susceptible to attacks that can surreptitiously install
hacker-controlled backdoors when users visit a booby-trapped website. By
some measures, 28 percent of the Web-using public continues to use the
aging OS, which lacks crucial safety protections built into Windows 7 and
8.1.
Thursday's release demonstrates the razor-thin tightrope Microsoft walks
as it tries to wean users off a platform it acknowledges is no longer safe
against modern hacks. While the XP fix may deprive some laggards of the
incentive to upgrade, Microsoft also has a responsibility to prevent
exploits that could turn large numbers of the Internet population into
compromised platforms that attack others.
Attacks grow by “multiple, new threat actors”
The Microsoft patch comes as the in-the-wild attacks exploiting the
vulnerability have expanded to include XP users running IE 8, researchers
from security firm FireEye reported Thursday. Previously, the IE attacks
FireEye observed targeted only versions 9, 10, and 11 running on Windows 7
and 8.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
