Microsoft on Sunday issued a warning about a newly discovered exploit of a security vulnerability that impacts all versions of Internet Explorer (IE) released in the last decade. And while the firm has provided a set of workarounds to help customers until a fix is released, this exploit could represent the first major security issue that will not be fixed for Windows XP, which recently exited its support lifecycle.
"Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11," a support notice on the company's web site explains. "The vulnerability is a remote code execution vulnerability ... An attacker could host a specially crafted web site that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the web site."
If you're using Windows Server versions 2003, 2003 R2, 2008, 2008 R2, 2012, or 2012 R2, then you're most likely safe: Those systems run IE in an Enhanced Security Configuration mode that mitigates the vulnerability. For the majority of systems running any client version of Windows from XP on up, the situation is more serious.
Microsoft provides a set of workarounds for dealing with the vulnerability that's responsible for the reported exploit, which include deploying the Enhanced Mitigation Experience Toolkit 4.1 (currently available only in English), setting IE's security zone settings to "High" to block ActiveX Controls and Active Scripting, running your user account with non-administrative rights, and so on.
But Microsoft will be issuing a fix. And while that fix could arrive by the next Patch Tuesday, the firm says the problem is serious enough that it's considering an "out of band" fix, meaning a fix that could appear before Patch Tuesday, outside of the normal security update release cycle.
Windows XP, in particular, is an open question. Internet Explorer 6 was released with Windows XP in October 2001, and Internet Explorer 8—which dates back to 2009—is the most recent version that works on that now unsupported OS. Since any patch would be tied to the OS, it's unclear whether Microsoft will stick to its guns and decline to fix this issue on that OS, at least for those customers that are not paying for expensive extended support contracts.
Microsoft's support notice doesn't mention Windows XP, though it does mention IE 6 on Windows Server 2003 with Service Pack 2. This suggests that the firm has no intention of fixing the issue on Windows XP.
The good news? According to security experts, the issue is actually most serious on newer versions of IE, including the IE 9, 10 and 11 versions that will not even run on Windows XP. And of course, Windows XP users can and should of course use more modern and supported browsers, such as Google Chrome or Mozilla Firefox.