Microsoft today announced it will deliver five security updates to customers next week, two tagged as "critical," including one that will quash the open vulnerability in Internet Explorer (IE) that hackers have been exploiting since January.
Four of the five updates will affect Windows XP, the nearly-13-year-old operating system that Microsoft plans to retire from patch support on April 8. After next week's Patch Tuesday, Microsoft has just one more chance to fix flaws in the aged OS before it pulls the plug.
One of the two critical updates patches all versions of IE, including the even-older-than-XP IE6, as well as the newest IE11, which runs only on Windows 7, Windows 8 and Windows 8.1.
On the client editions of Windows, the IE fix — dubbed "Bulletin 1" in today's advance notification — was rated critical, Microsoft's most serious threat rating, for all versions of the browser.
Two weeks ago, Microsoft confirmed at least one vulnerability in IE9 and IE10 after security company FireEye found attacks targeting current and former U.S. military personnel who visited the Veterans of Foreign Wars (VFW) website. Another security vendor, Websense, reported that it had found an exploit leveraging the same IE bug on the website of a French aerospace association, GIFAS (Groupement des Industries Francaises Aeronautiques et Spatiales), whose members include defense and space contractors.
Websense cited evidence that exploits had been in circulation as early as Jan. 20, 2014.
Later, Aviv Raff, chief technology officer at security firm Seculert, contended that the attacks uncovered by FireEye and Websense were the work of two hacker groups.
Although Microsoft today continued to characterize the attacks as limited in scope, Symantec begged to differ last week. The California antivirus vendor said its telemetry showed that attacks against IE were "expanding to attack average Internet users" at the time.
Three other Windows updates will affect XP, one rated critical and the other pegged as "important" on Microsoft's four-step scoring system. Bulletin 2, the update marked critical, could be used by attackers to hijack a PC running any flavor of Windows, including XP, except for Windows RT, the scaled-back touch-first sibling that powers Microsoft's Surface RT and Surface 2 tablets.
The updates for Windows XP, including the one for IE6, IE7 and IE8, the browsers that run on the aged platform, will likely get much of the attention next week as XP will then be just one month from retirement. After April 8, Microsoft will not ship patches for known XP vulnerabilities, even critical flaws, to the general public. It will, however, provide critical updates to major customers who have paid for an extra-extended form of support, which costs about $200 per PC for the first year of coverage, then climbs each additional year.
Sign up for CIO Asia eNewsletters.