Critical IE Vulnerability Patch Includes Support For End-Of-Life XP

May 05, 2014 | Heroix Staff

On April 26, FireEye reported a vulnerability in Internet Explorer versions 6 through 11 that was actively being exploited in IE versions 9 through 11. On April 28th the US Computer Emergency Readiness Team (US-CERT) recommended either using suggestions from Microsoft to mitigate the risk or switching to a different browser until Microsoft had patches available for the issue.  Given the publicity over this problem, and the ease with which users can switch browsers, this was obviously a high priority for Microsoft.

Typically, Microsoft will issue patches on the second Tuesday of every month but will make an exception for critical issues.  In Security Advisory 2963983, Microsoft announced that an out of band patch would be released at 10AM PDT, May 1st.  The patch Security Update for Internet Explorer (2965111) includes updates for all affected browser versions on Microsoft OS versions ranging from XP to Windows 2012. If you use patch management software rather than letting Windows automatically update, it will show up as Critical Security Update (KB2964358), with a prerequisite of KB2929437 for IE 11.

The patch suite has a different patch for each possible combination of Windows OS and IE version supported.  Since some customers have purchased extended XP support, Microsoft had to create an XP version of the patch but only needed to distribute it to customers on extended support.  Given the effort spent in conveying the dangers of running XP without support, it was surprising that they would provide a patch to all XP systems for the first big security bug to hit after the 4/8/14 cutoff date.  The rationale explained in a Microsoft Blog post  was:

  • We made this exception based on the proximity to the end of support for Windows XP.

This rationale makes sense to me in the context that the bug was in existence and being exploited at the time XP support ended, even if FireEye reports that IE 9, 10 and 11 are being targeted rather than the IE 6, 7 or 8 that are supported on XP.  The potential for it to be exploited is there, so an argument can be made for patching a pre-existing, high profile vulnerability.

An argument can also be made that customers running XP are still potential Windows 7, 8, or beyond customers, and alienating them would be counterproductive at a time when Apple is lowering prices, Google is running the backend Cloud for inexpensive Chromebooks, and free Linux distributions can be installed on XP hardware.  Users running unsupported XP have a temporary reprieve, but this was a highly publicized vulnerability that should have them thinking about the next patch or update they will need that will not be in such close proximity to the end of XP support.