XP Systems Getting Emergency IE Zero Day Patch 179
msm1267 (2804139) writes "Microsoft announced it will release an out-of-band security update today to patch a zero-day vulnerability in Internet Explorer, and that the patch will also be made available for Windows XP machines through Automatic Update. At the same time, researchers said they are now seeing attacks specifically targeting XP users.
Microsoft no longer supports XP as of April 8, and that includes the development and availability of security updates. But the about-face today speaks to the seriousness of the vulnerability, which is being exploited in limited targeted attacks, Microsoft said. Researchers at FireEye, meanwhile, said multiple attackers are now using the exploit against XP machines, prompting the inclusion of XP systems in the patch."
Microsoft no longer supports XP as of April 8, and that includes the development and availability of security updates. But the about-face today speaks to the seriousness of the vulnerability, which is being exploited in limited targeted attacks, Microsoft said. Researchers at FireEye, meanwhile, said multiple attackers are now using the exploit against XP machines, prompting the inclusion of XP systems in the patch."
WTF (Score:1, Interesting)
Patching a dead OS just confuses users. No, really, this OS is dead except sometimes.
Re:just kill them already (Score:4, Interesting)
There are a lot of people out there who may not be able to afford better hardware, or a copy of Windows 7. Given a choice between a roof over the head versus an upgrade of Windows, I'm sure not many would choose homelessness.
Then there is the fact that a lot of XP systems cannot be upgraded, and are part of an embedded system. A friend of mine has a $9000.00 sewing machine that runs XP, and if one tries to stick W7 on it, it won't have the drivers to move the embroidery head.
Then there is software that requires XP to function. Another friend of mine has a CNC mill for 2D wood carving that he copies data to a full size PCMCIA card. The reader/writer on the computer will not work with Vista or newer, and it won't work in a VM, so it is XP or nothing.
People don't -want- to run XP... but a lot have to. Just like the guy who drives the 10 year old Honda Civic. It isn't because he is in love with the car, but that he can't afford a new car, or he has other priorities.
Re:just kill them already (Score:5, Interesting)
XP is used in many commercial products which cannot easily be replaced by the end user. For example: http://rightfast.com/index.php... [rightfast.com]
I'm going to go out on a limb here and say that there's nothing wrong with XP in an embedded environment (such as in a bank's ATM). Exploits in most operating systems are almost always related to application-level attack surfaces, such as IE and Flash (as was this particular vulnerability). In a point of sale unit, there is no one surfing the web with the browser. As long as the front-facing application and hardware are properly locked down, there should be no problems. Note that Target's POS data breach was NOT done through the machines themselves, but through the backend network itself. Granted, lack of address space randomization makes it an easier target, but note carefully that the exploit discussed in the article was available on ALL platforms and IE versions, not just XP/IE6.
Where a company or user will get into trouble is if they're using Windows XP + IE6 in a user-controlled, internet-facing computer. And let's be clear here, it's been IE6 and not really XP that was the problem since the latest patches and the firewall was turned on by default. If they rely on IE6, then there's a good bet that they also rely on Flash or a Java plugin as well, and that's just tripling your attack surface, especially if they're not kept up to date as well for reasons of compatibility or laziness.
There's sort of a media feeding frenzy about Windows XP and it's end-of-life. Yes, people should move on to a supported OS as soon as it's practical, but XP users can greatly reduce their risk simply by using up-to-date applications. Use Chrome or Firefox when browsing, and if possible remove Flash and Java (I actually removed Flash about half a year ago for security reasons, and found that, for the most part, I don't really need it anymore). Note that this exploit was performed with the help of Flash as well - nothing to do with XP.
Re:There should be only two options (Score:5, Interesting)
So you're saying that Dodge should be obligated to release all intellectual property associated with, say, the Magnum. Even though that same technology is used in their other vehicles. Or Sony should release everything associated with the Playstation 3 and before. I don't think you've thought this through. If a product is ultimately superceded by a different product, and thus discontinued, the manufacturer should not be obligated to release anything.