Microsoft issues fix for IE zero day on Windows, XP included

[geeteam]

At 10 AM Pacific time on Thursday, Microsoft will release an update to address the zero day vulnerability recently disclosed in all versions of Internet Explorer. The advance notification of the update lists Windows XP as among the affected platforms, indicating that it will be among the platforms patched, in spite of its support period ending weeks ago.

Adrienne Hall, General Manager, Microsoft Trustworthy Computing stated "[T]he security of our products is something we take incredibly seriously. When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers."

Users with Automatic Updates enabled do not have to do anything, although running Windows Update will apply the fix immediately.

In a blog entry, Hall explains Microsoft's approach, which mostly is to urge users to move on from Windows XP. The company decided to move quickly when they were made aware of this vulnerability and to patch Windows XP because of the proximity to its end of support period.

Further information on the update may be found at KB2964358. Among the advice there, IE will crash if you install the update on a Windows 7 system whch does not have KB2929437 installed. If you use Windows Update these determinations and appropriate installations will be made automatically. Otherwise, follow the instructions in KB2964358.

Source

[CODYQX4]

.

Edited April 28, 2019 by CODYQX4

[Paquini]

It doesn't install in my PC, It says it's not necesary 1 actualization. but the actualization persists appearing.

Edited May 1, 2014 by Paquini

[Arizin]

Oh Still releasing patches for XP, typical MS they just can't rid of their unsupported OS.

XP users must try either Chrome or Firefox.

[dcs18]

No issue, here on a full and clean install of Windows 8.1 Update.

[anuseems]

Microsoft shipped an emergency update for Internet Explorer to close a hole that hackers had already been exploiting, and in an unexpected move, allowed Windows XP machines to receive the update.

From Computerworld:

Microsoft today shipped an emergency update for Internet Explorer to close a hole that hackers had already been exploiting.

But in an unexpected move, Microsoft allowed Windows XP machines to receive the update, even though it had long held that the 13-year-old operating system had absolutely, positively retired on April 8.

"I'm surprised they went out-of-band at all," said Andrew Storms, director of DevOps at security company CloudPassage, using the term for an emergency update outside the normal monthly patch cycle Microsoft maintains. "While there was a lot of talk about this zero-day, it was mainly focused on the XP angle.

http://www.computerworld.com/s/article/9248061/Microsoft_makes_one_time_exception_patches_IE_on_Windows_XP

Edited May 2, 2014 by anuseems

[jilowjacob1990]

Oh Still releasing patches for XP, typical MS they just can't rid of their unsupported OS.

XP users must try either Chrome or Firefox.

Well said.Ms should really stop supporting it.

In a blog entry, Hall explains Microsoft's approach, which mostly is to urge users to move on from Windows XP

urge users to move on from Xp to vista,win7,win 8 or maybe linux.And according to super fanboys force users to move on from Xp to 8 and only 8.

Btw what are the sons aka super fan boys of MS gonna do now? Start cursing papa for this Xp patching.They have been trying hard (using every means) to push users towards the win 8 but MS made it more dificult for them this time.

Did MS try to force/push something with win 8 that made it unacceptable to lot of users?It could very well be the reason for small userbase of win 8 as compared to win 7 or even Xp. All users are not pirates.A lot of users and organisations pay for the OS and it is a fact that no one likes to spend on bad goods.

[MidnightDistortions]

Either support Windows XP or do not at all, MS's new slogan is let's kill XP and stop updating it but we'll update when :shit: hit's the fan. At least i'll have an idea that W7 will still be supported long after MS says they won't support it anymore. By that time i will have fully migrated to Linux.

[OldGeek44]

I downloaded the KB2964358 file. It is supposed to be for XP Pro 32 bit and IE8. I have this and ie8.06.101.18702. When I run the patch it says my IE is the wrong version. Anyone know what could be wrong?

[dcs18]

I downloaded the KB2964358 file. It is supposed to be for XP Pro 32 bit and IE8. I have this and ie8.06.101.18702. When I run the patch it says my IE is the wrong version. Anyone know what could be wrong?

Microsoft seems to be toying with XP . . . . . . . . . . . . . . . . . . . . . again. :(

[Sos Gomes]

its better if xp is kept as one of dual botting OS only.Dont use internet explorer on XP OS when connecting to internet & always use a good antivirus & internet security software.Kindly read below review

Hackers ZERO IN on ZOMBIE XP boxes: Get patching, Internet Explorer 8 users Multi-pronged malfeasance targets gov, energy, finance

A newly uncovered attack specifically targeting out-of-support Windows XP machines running Internet Explorer 8 is being used to hack potential victims in multiple industries across Europe and North America, according to security researchers.

This is the first “in the wild” attack spotted against Windows XP after Microsoft pulled the life support last month. It was severe enough to prompt Redmond into releasing an emergency, unscheduled patch on Thursday.

The same MS14-021 bulletin also covers critical patches for multiple versions of Windows (including Windows 7 and 8) and the latest versions of IE, so it's not just a problem for those running legacy software.

According to security firm FireEye, multiple hacking crews are using the vulnerability to target government and energy sector organisations in the US and Europe. Firms in finance and defence are also in the firing line of attacks based an the vulnerability.

"We have seen multiple threat actor groups are now adopting this exploit," a FireEye spokeswoman explained.

FireEye initially said the vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11, and noted that the approach circumvented Redmond's built-in security preventions (ASLR and DEP) when it first warned about the flaw on 26 April.

It only mentioned the Windows XP element to these so-called "Operation Clandestine Fox" attacks after MS released the emergency fix on 1 May.

Despite its undead status many organisations still make heavy use of Windows XP in their computing infrastructures. For example, an estimated three quarters of UK businesses are still running XP despite the end of XP support. ®

Source:http://www.theregister.co.uk/2014/05/02/cyberspies_throw_ie_0day_against_win_xp/

[Sos Gomes]

Read another review

Microsoft: You know we said NO MORE XP PATCHES? Well ... IE vuln forces rethink on mercy bullet for elderly OS support

Microsoft has released patches for the latest critical security vulnerability plaguing Internet Explorer, including for Windows XP – despite months of claiming that it would never release another patch for the outdated OS past April 8 of this year.

According to a blog post by Microsoft's general manager of Trustworthy Computing, Adrienne Hall, Redmond only relented on its threat to leave XP users twisting in the wind because vulnerability CVE-2014-1776 was disclosed so soon after the patch cutoff date.

"Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we've decided to provide an update for all versions of Windows XP (including embedded), today," Hall wrote. "We made this exception based on the proximity to the end of support for Windows XP."

Whatever Microsoft's excuse, the decision is still an about-face. Back in September, the software giant was the first to warn that any bug discovered in XP after April 8 would essentially be "a 'zero day' vulnerability forever."

Change of heart ... Adrienne Hall

Now Redmond is going as far as to let us know that the patches went live at 10am PDT (5pm GMT) and that customers who don't have automatic updates enabled should hop on over to Windows Update and click "Check for Updates," like, nowish – despite the fact that Microsoft claims the vulnerability really isn't much of a big deal.

"The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown," Hall wrote.

This, despite warnings from independent security experts – including UK and US government agencies – that Windows users should stay off IE altogether until Microsoft issues a fix.

What's more, Hall added, "Just because this update is out now doesn’t mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer."

Not that that would have done you much good before today. The bug that Thursday's patch fixes allows remote code execution – meaning it could let an attacker gain control of your system – and it affects all versions of Internet Explorer from 6 through 11, so even those running Microsoft's newest OS and browser should get a-patchin'.

When El Reg asked whether Thursday's patch was an indication that we can, in fact, expect future security updates for Windows XP, a Microsoft spokesperson pointed us to Hall's blog post but otherwise declined to comment. ®

Source:http://www.theregister.co.uk/2014/05/01/internet_explorer_patch/

[OldGeek44]

I downloaded the KB2964358 file. It is supposed to be for XP Pro 32 bit and IE8. I have this and ie8.06.101.18702. When I run the patch it says my IE is the wrong version. Anyone know what could be wrong?

FYI...

I fixed it! It seems MS defaults the XP 32 bit/ie fix to ie 6! I looked again...same KB number but a larger file this time and it now says ie 8. I tried it and it ran fine!