Feeds

Microsoft: You know we said NO MORE XP PATCHES? Well ...

IE vuln forces rethink on mercy bullet for elderly OS support

Internet Security Threat Report 2014

Microsoft has released patches for the latest critical security vulnerability plaguing Internet Explorer, including for Windows XP – despite months of claiming that it would never release another patch for the outdated OS past April 8 of this year.

According to a blog post by Microsoft's general manager of Trustworthy Computing, Adrienne Hall, Redmond only relented on its threat to leave XP users twisting in the wind because vulnerability CVE-2014-1776 was disclosed so soon after the patch cutoff date.

"Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we've decided to provide an update for all versions of Windows XP (including embedded), today," Hall wrote. "We made this exception based on the proximity to the end of support for Windows XP."

Whatever Microsoft's excuse, the decision is still an about-face. Back in September, the software giant was the first to warn that any bug discovered in XP after April 8 would essentially be "a 'zero day' vulnerability forever."

Change of heart ... Adrienne Hall

Now Redmond is going as far as to let us know that the patches went live at 10am PDT (5pm GMT) and that customers who don't have automatic updates enabled should hop on over to Windows Update and click "Check for Updates," like, nowish – despite the fact that Microsoft claims the vulnerability really isn't much of a big deal.

"The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown," Hall wrote.

This, despite warnings from independent security experts – including UK and US government agencies – that Windows users should stay off IE altogether until Microsoft issues a fix.

What's more, Hall added, "Just because this update is out now doesn’t mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer."

Not that that would have done you much good before today. The bug that Thursday's patch fixes allows remote code execution – meaning it could let an attacker gain control of your system – and it affects all versions of Internet Explorer from 6 through 11, so even those running Microsoft's newest OS and browser should get a-patchin'.

When El Reg asked whether Thursday's patch was an indication that we can, in fact, expect future security updates for Windows XP, a Microsoft spokesperson pointed us to Hall's blog post but otherwise declined to comment. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.