It didn't take long, but security experts have reported the first major zero-day vulnerability in the aftermath of Windows XP's retirement. Microsoft has confimed that all currently supported versions of its Internet Explorer web browser are vulnerable to attack.
Cybersecurity firm FireEye was the first to report the IE bug this past weekend. In a blog post, the company said that attackers are using the vulnerability to actively attack IE versions 9 through 11, although the post specified that older versions of the browser - back to version 6 - are also at risk.
Microsoft issued a security advisory Saturday that included suggested workarounds, and the Department of Homeland Security's U.S. Computer Emergency Readiness Team (U.S.-CERT) suggested the use of alternate browsers for those who cannot use other workarounds.
That would include Windows XP users. While Microsoft could issue a patch to correct the bug, XP users would not be able to receive this update, since the company ceased security updates for XP back on April 8. The IE bug is the first major reported zero-day vulnerability post-XP, and it could have a significant impact.
As NetMarket Share reports, IE is used in more than a quarter of the world's browsers.
How does the IE bug work?
According to FireEye, the bug exploits an IE memory flaw and leverages Adobe Flash to bypass normal security protectons via "drive-by attack". IE users who are tricked into visiting a compromised website - either by clicking a bad link in an email or downloading an attachment - could be immediately infected.
From there, hackers could successfully gain the same user rights as the computer's actual user. With full administrative rights, attackers could do a lot of damage to a machine, installing more malware or deleting data.
FireEye credits the current attacks - which it has called "Operating Clandestine Fox" - to a Advanced Persistent Threat group. APT groups are highly organized groups of cyber attackers with significant resources and funding to prepetrate attacks.
How can you protect Windows XP users (and everyone else, too)?
So if your XP machines aren't eligible for potential security patches, what can you do to protect them from these attacks?
- Recommend another browser - Google Chrome and Mozilla Firefox continue to issue security updates for XP, so a quick solution is to recommend your XP users avoid IE altogether
- Run IE in Enhanced Security Configuration - Microsoft says this mode will safely limit IE's exposure to this particular vulnerability
The steps above also apply to non-XP users, but in this situation you have the advantage knowing that Microsoft will likely issue a new security update. That could come as soon as May 13. In the meantime, use a different browser and follow best security practices.