The zero-day exploit that has recently made the rounds in Internet Explorer is getting a security update that includes a surprising twist.
Microsoft delivered an out-of-band security update to address the remote code execution vulnerability affecting IE. The security update also includes Windows XP, an unexpected move since Windows XP support ended last month.
Microsoft has repeatedly encouraged its Windows XP customers to upgrade to a supported version of Windows. This update prolongs what many security researchers see as inevitable.
"We think of XP becoming very un-defendable in the very near future," said Wolfgang Kandek, chief technology officer of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif., in an interview last month.
Could this be the start of a trend of continued support in extraordinary circumstances?
"Yes, now that the precedent has been set it will be discussed each time a very public exploit makes the rounds," said Kandek in an interview Friday. "I don't think it will make organizations complacent to move off XP, the pressure is still on, as one cannot count on wide coverage by Microsoft anymore."
Microsoft addressed the vulnerability in a recent security advisory, saying each version of IE was at risk. The vulnerability gave attackers the potential to execute code by the way the vulnerability could corrupt memory. Attackers could exploit the vulnerability by creating a malicious website and convincing end users to visit it.
The zero-day vulnerability first came to light in attacks that were seen on IE versions 9 through 11, but older IE versions running on Windows XP machines were seen as potentially vulnerable if there were future attacks.
Most end users can automatically download and install the security update if they have Automatic Update enabled. End users should apply the update as quickly as possible to prevent attacks, Microsoft said.