Hackers are exploiting an Internet Explorer (IE) vulnerability that was left unpatched in Windows XP on Tuesday, Microsoft and outside security experts said.
The bug, identified as CVE-2014-1815, was one of two Microsoft patched with a critical update issued Tuesday for IE6, IE7, IE8, IE9, IE10 and IE11. In the accompanying security bulletin, Microsoft noted that the vulnerability had been both known to hackers and used by them prior to yesterday's update.
"Microsoft is aware of limited attacks that attempt to exploit this vulnerability in Internet Explorer," the bulletin stated.
But because Windows XP exhausted its support privileges last month, users running the aged operating system did not receive the IE security update, as did owners of Windows Vista, Windows 7 and Windows 8 PCs.
Also on Tuesday, Microsoft reasserted that it has patched its last Windows XP bug. In the strongest signal yet that it will stick with its plan -- and that a May 1 emergency patch for IE on XP had been a one-time deal -- a company spokesman said, "The Windows XP end of support policy still remains in place moving forward."
Originally, Windows XP was bundled with IE6, but over the years users have upgraded to IE7 and then IE8, the five-year-old browser that is the newest from Microsoft able to run on XP. If XP was still supported, XP PCs would certainly have received the update.
"This is the first advisory that clearly would have applied to Windows XP," said Ross Barrett, senior manager of security engineering at Rapid7, in an email yesterday. "IE6, IE7 and IE8 are vulnerable on Windows [Server] 2003; this would historically have mapped to the same scope of XP patches, but not this time."
As Barrett noted, Microsoft's security bulletin listed Windows Server 2003 as affected by the vulnerability. The server software was patched Tuesday because its support lifespan runs until July 14, 2015.
CVE-2014-1815 is a classic "drive-by" vulnerability that can be triggered simply by duping IE users into visiting a malicious or compromised website. As soon as an unpatched Internet Explorer reaches such a site, the exploit leaps into action, immediately hijacking the PC and sticking malware on the hard drive.
Because IE6, IE7 and IE8 on Windows XP will not be patched, users will remain vulnerable to these sneaky attacks in perpetuity.
Most security professionals have urged people stuck on XP to switch to another browser, one that still receives updates: Google's Chrome, Mozilla's Firefox and Opera Software's Opera all fit that bill. According to research conducted by Computerworld, XP users can dramatically lower their risk by dumping IE.
Other vulnerabilities patched by Microsoft yesterday were also left unfixed in Windows XP. "We can assume that any vulnerability that [was] for Windows Server 2003 is applicable to XP as well. For this month, that means at least: MS12-029 (IE), MS12-024 (ASLR), and MS12-025 (Group Profile)," said Wolfgang Kandek, chief technology officer at Qualys, in an email.
Together, those three security updates patched four vulnerabilities out of the month's total of 13.
For people who cannot give up IE, Microsoft provided workarounds it said would help ward off attacks, including those aimed at the browser when it's running on Windows XP. However, the workarounds have negative side effects that may make some websites unusable, Microsoft warned. The security bulletin MS14-029 includes those workaround instructions.
Another stop-gap users can deploy is the Enhanced Mitigation Experience Toolkit (EMET), a free anti-exploit utility that works on Windows XP. EMET 4.1 can be downloaded from Microsoft's website.
CVE-2014-1815 was reported to Microsoft by Clement Lecigne, a security engineer who works for Google in its Swiss office.
Lecigne made news three months ago when he was awarded $10,000 by the Internet Bug Bounty (IBB), a new program funded by Facebook and Microsoft. IBB cut Lecigne the check for finding a critical vulnerability in Adobe's Flash Player. Lecigne donated the $10,000 to the Hackers for Charity non-profit.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is firstname.lastname@example.org.