Microsoft Issues Internet Explorer FixIncludes an Update for Windows XP Users
Microsoft on May 1 issued a fix for the Internet Explorer vulnerability that could allow hackers to gain control of a user's computer (see: DHS Says Stop Using Internet Explorer). Although Microsoft announced earlier it would no longer support its Windows XP operating system, "we have made the decision to issue a security update for Windows XP users [as well]," the company says.
"Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1," says Dustin Childs, group manager for Microsoft Trustworthy Computing. "Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11" (see: End of XP Support: Are Banks Really Ready?).
Microsoft says a majority of its customers have automatic updates enabled and won't need to take any action because the Internet Explorer protections will be downloaded and installed automatically. "For those manually updating, we strongly encourage you to apply this update as quickly as possible following the direction in the released security bulletin," Childs says.
For administrators and enterprise installations, Microsoft recommends that customers apply the update immediately using update management software.
The security update resolves a vulnerability in Internet Explorer versions 6 through 11 that could allow hackers to gain control of a user's computer after it's been infected with malware.
"The vulnerability could allow remote code execution if a user views a specially crafted webpage using an affected version of Internet Explorer," the security bulletin says. "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
The exploit of the vulnerability by hackers was first identified by security firm FireEye, which outlined the vulnerability in an April 26 blog post. The company says the exploit is significant because the vulnerable browsers "represent about a quarter of the total browser market."
Reactions to the Fix
Avivah Litan, fraud analyst at the consultancy Gartner, says providing the update for Windows XP users was the responsible thing for Microsoft to do, especially given public pressure. "This was a very serious vulnerability," she says. "If [Microsoft] hadn't patched it for XP, they were basically leaving those users high and dry. It may be much harder to end XP support than they thought it would be."
Organizations need to carefully weigh how they'll apply the patch, says Alan Brill, senior managing director at security advisory firm Kroll Solutions. "My view is that unless you are operating XP in a unique situation - like in an embedded system in an ATM or process control system where the patch can cause a loss of functionality - the advice to patch is probably good advice, but every organization has to make that decision and take responsibility for it," he says.
Christopher Paidhrin, security administration manager at PeaceHealth, a healthcare provider in the Pacific Northwest, recommends organizations first deploy the fix to a limited subset of systems to make sure the patch doesn't break an essential business service or IE-based application.
"Second, test the fix with specific use-case processes and validate the findings," he says. Organizations should then push the fix into the environment and review how the update went for continuous process improvement, he adds.
Automatic updates available from Microsoft won't mitigate all the risk to healthcare organizations whose medical devices are connected to networks that might have been exposed to the exploit, adds Mike Ahmadi, global director of medical security at Codenomicon, the software testing firm that discovered the recent Heartbleed bug. Device makers disable automatic updates, so fixes have to be made manually, he says. And any patches of medical devices have to be carefully validated to make sure they don't impede functionality.
Organizations must be prepared to deal with other online vulnerabilities as they emerge, Brill adds. "Organizations that don't recognize that - and treat each incident as a separate crisis - are likely to expend more effort going through the incidents than those that develop an incident management strategy," he says (see: Internet Explorer Bug: Steps to Take).