InformationWeek, Michael Endler
XP users shouldn’t expect additional support from Microsoft, despite its heroic last-minute security update for Internet Explorer.
Many Windows XP users are no doubt relieved that Microsoft decided to include Windows XP in a security update for a recently-disclosed bug — but they shouldn’t assume support will continue. Microsoft said XP remains an unsupported product, and that it made an exception to include it in this update only because the issue arose so near the operating system’s end-of-life deadline.
Microsoft began deploying the update around 1 p.m. EST on Thursday. Users who have enabled automatic updates shouldn’t need to take any action. Otherwise, users can access the update via the Control Panel’s Windows Update section. Microsoft rarely releases out-of-cycle updates like this one. Most arrive during the company’s monthly Patch Tuesday releases.
After disclosing the bug last weekend, Microsoft suggested a number of workarounds, many of which were inapplicable to XP machines. In a blog post, Microsoft Trustworthy Computing GM Adrienne Hall encouraged XP users to upgrade.
She wrote that today’s cyberthreats are too sophisticated for an operating system first released over a decade ago. Microsoft officials have repeated this message countless times in recent months, but many users remain unpersuaded; over a quarter of PC users still relied on XP in April, according to web-tracking firm Net Applications.
Attacks against XP are already ongoing, according to FireEye, the security firm that took credit for discovering the vulnerability and gave it its nickname, “Operation Clandestine Fox.”
In a Thursday blog post, the firm said it has detected a “version of the attack that specifically targets out-of-life Windows XP machines running IE 8.” FireEye said earlier attacks involved only IE 9, 10, and 11 on Windows 7 and 8. The bug affects all versions of IE from 6 to 11. The firm warned that the new method that involves XP “means the risk factors of this vulnerability are now even higher.”
FireEye said it initially observed attacks against the defense and financial sectors but has since detected campaigns against government and energy institutions as well.