With the early-April retirement of Windows XP from official support, Microsoft appeared to have finally moved on from the aging operating system and its myriad of security weaknesses. However, the recent zero-day flaw discovered in Internet Explorer has brought XP – and Windows more generally – back into the spotlight.
Internet Explorer exploit the first major cybersecurity issue for Windows XP holdouts
"Infinite zero-days" were predicted in the run-up to XP's retirement, and this Internet Explorer exploit looks like the start of what could be a painful road ahead for XP holdouts. The vulnerability is inherent in all versions of Internet Explorer, as well as all forms of Windows except Server Core. Although the in-the-wild attack that brought it to light is targeted only at Internet Explorer 9, 10 and 11 and seems to require that Adobe Flash be installed on targeted machines.
According to Trend Micro's research, the issue is that remote attackers can force the execution of arbitrary code. They can take advantage of how Internet Explorer accesses objects in memory that have been deleted or not properly allocated.
Affected users are directed to special websites via social engineering. After that, an embedded Flash file bypasses the data execution prevention and address space layout randomization safeguards, ultimately giving attackers the same permissions as a currently logged-in user. Accordingly, cybercriminals have to go after individuals with administrator privileges in order to do the most damage possible.
The permissions issue is not so bad on more recent versions of Windows, on which only one user among many is typically enabled as administrator. The problem is with XP and its antiquated approach to user rights. Essentially, everyone who is logged in on an XP machine is likely to be an administrator, meaning that successful exploitation of Internet Explorer on the OS puts the entire system at risk.
Fortunately, XP users may be able to reduce their exposure by simply using another browser, such as Mozilla Firefox or Google Chrome, neither of which contains the same vulnerability. The U.S. Department of Homeland Security has gone so far as to recommend this step.
"US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds," the department said in a statement. "Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser."
Users should be in the clear by making this simple switch then, right? Not entirely. Internet Explorer was once deeply interwoven with the Windows core. For example, Microsoft Office used to rely on Internet Explorer to render HTML in documents. In other words, Windows XP expects Internet Explorer to be on hand to perform certain tasks, demonstrating one of the many reasons why the 13 year-old OS is such a security liability.
"The bug is within vgx.dll, which is a library used for handling vector markup language and technically could be used by applications other than just Internet Explorer," stated Andrew Storms, senior director of DevOps at CloudPassage, according to PC World. "In theory, there could be other attack vectors outside of IE, but the likelihood of the attacker making use of those avenues is low."
Was it a mistake to patch Windows XP after support ended?
To its credit, Microsoft moved quickly and issued a patch, surprisingly including XP in the addressed OSes despite the recent discontinuation of support. Was the company right to extend a lifeline to individuals and organizations that have yet to move on to Windows 7 or another safer platform?
The answer isn't straightforward. Certainly, anyone with the power to do so should have already upgraded to a newer version of Windows, since no amount of patching will ever make XP as secure as its successors. Plus, Microsoft extended the XP deadline much longer than anyone could have expected in 2001, with Windows Vista, 7, 8 and 8.1 all having come to market in the time that XP remained on mainstream support.
On the other hand, abandoning XP and its substantial market share (the OS still accounted for more than one-quarter of Windows instances in April 2014) would leave significant parts of the Internet vulnerable to attack. Literally millions of PCs would be susceptible to exploits that could enlist them into botnets and automated attacks.
Microsoft justified its decision by noting that the issue arose in close proximity to the end of XP support. That's fair, but where will it draw the line if – and when – issues arise down the line?
In particular, creating a secure Web browser requires continuous attention and maintenance, not just one-off fixes. Internet Explorer is included in almost all of Microsoft's Patch Tuesdays, and other browsers such as Firefox and Chrome are updated with similar regularity, underscoring the fact that these applications are real magnets for attacks. Fixing Internet Explorer for XP users this one time won't make their browser or their operating system more secure over the long run, since true security is a moving target.
Continuing to make exceptions for XP could also give holdouts a false sense of safety, as they feel that they may be able to deal with minor issues on their own, while receiving special patches for the big ones. The Internet Explorer bug isn't likely to be the last of its kind, and it will be telling to see how the next one is handled.
"People using Windows XP are going to be exploited through known but unpatched vulnerabilities," argued Peter Bright for Ars Technica. "That is what the end of support means. That is its unavoidable consequence. For as long as Windows XP has a substantial number of users, there will be calls for 'one more patch' to be released. There's nothing special about this latest flaw that warrants special treatment.
But for users that cannot, for whatever reason, move on from XP, there are still viable options. Virtual patching can buy IT administrators time while they wait for a real patch – it blocks traffic that is trying to exploit an identified vulnerability. More specifically, Trend Micro Deep Security can even patch unsupported applications and it has done so for Windows 2000.