OFFICIAL SECURITY BLOG
April 28, 2014 | BY Jérôme Segura
We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.
Security researchers have discovered a new vulnerability affecting Microsoft Internet Explorer from version 6 to 11 on practically all the different Windows operating systems, including the latest, Windows 8.1.
The advisory does not mention Windows XP in the list of systems affected, since it has officially been retired and is no longer supported.
But since Internet Explorer 6, 7 and 8 are also exploitable, this Zero-Day is not only bad news for everyone, but more so for XP users who will not receive a patch from Microsoft.
Details on the vulnerability are still scarce, but security firm FireEye says that this is another move from the same gang that already exploited use-after-free vulnerabilities in targeted attacks.
To mitigate this attack, users have several options:
This is the first ‘official’ Zero-Day post Windows XP’s End of Life and it certain won’t be the last.
While as far as we know this Zero-Day has only been used in very targeted attacks, you can count on seeing it getting integrated into an exploit kit very soon, meaning a wide distribution to potentially millions of computers.