Following the discovery of a critical, 0-day vulnerability affecting all versions of Internet Explorer, Microsoft has decided to release an emergency update that addresses the security issue. The patch has been issued for all of Microsoft's recent operating systems including Windows XP, despite the fact all support for the 13-year-old OS ended on April 8.
The update has been released outside of Microsoft's usual Patch Tuesday schedule due to the seriousness of the vulnerability. Reports indicate that the flaw is currently being exploited in the wild, and, as it affects Internet Explorer 6 through 11, more than one quarter of all internet users are vulnerable.
The 0-day vulnerability could give an attacker full user rights on the victim's PC, allowing them to install malicious programs, access and delete data, or steal sensitive information. A user would simply have to load a booby-trapped website that exploits the flaw in Internet Explorer for the attacker to gain access.
Even though the security flaw has potentially dire consequences, and it's currently being exploited in the wild, Microsoft's Adrienne Hall downplayed the issues. "The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown," she said in a blog post. "[This] is not to say we don’t take these reports seriously. We absolutely do."
The choice to patch Windows XP alongside newer, and much more secure operating systems like Windows 8.1 and Windows 7 is an interesting one. On the one hand, Microsoft has a responsibility to patch flaws that could seriously affect users of their operating system. On the other, Microsoft has reduced the incentive to depart the outdated and insecure OS, which users have had more than 7 years to do.
Will this be the final patch for Windows XP, or can we expect more down the track?