X

Microsoft fixes big IE bug -- even on Windows XP

The browser bug was so severe the US and UK issued warnings. Surprisingly, Microsoft's fix brings an update to its outmoded XP software.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

IE_Inari.png
An unofficial Singaporean Internet Explorer 11 mascot, from the browser's happier days last fall. Screenshot by Seth Rosenblatt/CNET

Microsoft has issued a fix for a dangerous Internet Explorer bug that left the browser highly vulnerable across every major version -- including those that run on Windows XP.

The patch, delivered at 10 a.m. Thursday, comes out of Microsoft's usual Patch Tuesday cycle because of its severity. It affected IE 6 through 11 and allowed attackers to install malware on your computer without your permission that could be used to steal personal data, track online behavior, or gain control of the computer.

Security firm FireEye, which discovered the previously unknown and unfixed flaw five days ago, said it saw a vulnerability used to target financial and defense institutions on Internet Explorer 9, 10, and 11. Nevertheless, Microsoft's patch today fixes all affected versions of the browser.

"The majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically," Dustin Childs of Microsoft Trustworthy Computing, the company's security group, said in a blog post. "If you're unsure if you have automatic updates, or you haven't enabled Automatic Update, now is the time."

Of the decision to fix Internet Explorer 6, 7, and 8, the only versions of the browser that still run on the 12-year-old Windows XP, Childs was terse.

"We have made the decision to issue a security update for Windows XP users," he said, noting that "Windows XP is no longer supported by Microsoft" and that Redmond "continue[s] to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1."

The decision is a notable reversal for Microsoft, which had ended support only weeks ago for Windows XP and the versions of Internet Explorer that run on it. According to research firm NetApplications, Windows XP still accounts for more than 26 percent of the desktops in use.

Childs said that Microsoft encourages Windows 7 and Windows 8.1 customers to update Internet Explorer to version 11, the latest release, if they haven't yet.

Meanwhile, as Microsoft was fixing the bug, FireEye discovered another exploit that used the same vulnerability, but targeted Internet Explorer 8. That means that although there's a patch, the security firm is now seeing "live attacks" against Windows XP computers, which except for this patch are no longer being fixed by Microsoft.

Robert Hansen, the vice president of WhiteHat Security's advanced technology group, said that he was surprised at the visceral reaction that the US and UK governments, as well as many individuals, had to the vulnerability.

"The bug itself was really bad, of course, but it was surprising to see such a knee-jerk reaction from the community, telling people to switch from Internet Explorer," he said. "All browsers have had similar issues in the past, and never received that sort of general warning."

Update at 6:25 p.m.adds details on Windows XP-specific attack and comment from Robert Hansen.