14 DAY TRIAL // HP’s Zero Day Initiative has recently found a zero-day flaw in Internet Explorer 8, the browser that’s currently available on older versions of Windows, including the retired XP, which no longer receives updates and security patches from the software giant Microsoft.
While Microsoft has already confirmed the flaw in a statement sent to us today, security experts are warning that, even when the company releases a patch, Windows XP will still be vulnerable to attacks.
Wolfgang Kandek, CTO of Qualys, has said in a statement today that replacing Internet Explorer with a different browser is pretty much the fast workaround for those running Windows XP at this point, although he admits that installing a different Windows version is the best possible solution.
“Of course, if you still run Windows XP, you will be exposed forever. Switching to a different browser until you can migrate from that OS is probably a good idea,” he says.
In addition, Kandek explains that Microsoft most likely developed a patch for the zero-day flaw since October 2013, when it was first made aware of the vulnerability in Internet Explorer 8, but the company had to delay its release due to some other publicly disclosed security flaws that affected a wider array of users.
The problem in this case is why Microsoft needs so much time to address this new zero-day and why the company delays the release if the patch is already available.
“After 6 months Microsoft no doubt has developed a patch for the issue. However, it seems its release was delayed due to the short term nature May’s IE patch (MS14-029) which was specifically engineered to address a vulnerability in the use in wild, that was detected by Google’s security team. That release took priority over the normal, scheduled release and got Microsoft into this situation with ZDI,” Kandek has pointed out.
Basically, if your existing Windows installation can run a newer version of Internet Explorer than 8.0, it would be quite a good idea to update and thus avoid getting your computer hijacked if an exploit is being developed.
At the same time, virtually everyone can replace Internet Explorer with a different third-party browser that’s obviously not affected by the flaw and keeps you on the safe side.
Microsoft has confirmed the existence of the issue but hasn’t said anything about the release date of a patch. While the company might opt for an out-of-band patch, it could also very well wait until the next Patch Tuesday on June 10, when some other updates are also planned.