[ISN] Emergency patch for critical IE 0-day throws lifeline to XP laggards, too

http://arstechnica.com/security/2014/05/emergency-patch-for-critical-ie-0day-throws-lifeline-to-xp-laggards-too/ By Dan Goodin Ars Technica May 1, 2014 Microsoft has released an emergency update for all recent Windows operating systems—including the recently decommissioned XP—fixing a critical security bug that is currently being exploited in real-world attacks. The decision to patch XP underscores the potential seriousness of the vulnerability. Since it resides in versions 6 through 11 of Internet Explorer, the remote code-execution hole leaves an estimated 26 percent of Internet browsers susceptible to attacks that can surreptitiously install hacker-controlled backdoors when users visit a booby-trapped website. By some measures, 28 percent of the Web-using public continues to use the aging OS, which lacks crucial safety protections built into Windows 7 and 8.1. Thursday’s release demonstrates the razor-thin tightrope Microsoft walks as it tries to wean users off a platform it acknowledges is no longer safe against modern hacks. While the XP fix may deprive some laggards of the incentive to upgrade, Microsoft also has a responsibility to prevent exploits that could turn large numbers of the Internet population into compromised platforms that attack others. Attacks grow by “multiple, new threat actors” The Microsoft patch comes as the in-the-wild attacks exploiting the vulnerability have expanded to include XP users running IE 8, researchers from security firm FireEye reported Thursday. Previously, the IE attacks FireEye observed targeted only versions 9, 10, and 11 running on Windows 7 and 8. […]