Security experts are again urging Windows XP users to upgrade, following new attacks against Internet Explorer running on the retired operating system.
Microsoft issued a security update last week fixing the dangerous zero-day vulnerability, which impacts all versions of its browser. The Redmond, Wash.-based software giant included Windows XP users in its emergency patch release, granting an exception as it no longer supports the platform. Users are urged to apply it quickly and continue to be encouraged to upgrade the 13-year-old platform to a more modern operating system.
A newly uncovered version of the attack specifically targets out-of-life Windows XP machines running IE 8, according to Milpitas, Calif.-based FireEye. Attacks against the recently patched vulnerability are now occurring against users of IE 8 through 11 and Windows XP, 7 and 8, FireEye said.
It's not unusual for criminals to reverse-engineer patches and develop their own exploit to infect systems before the security update is applied, security experts tell CRN. Users should expect attacks against the flaw to broaden significantly, said Justin Flynn, a consultant with Chicago-based solution provider Burwood Group.
"Windows XP has had such a large install base and with the criticality of the vulnerability that they say it is, you don't want your users or your business to be caught up in this attack," Flynn said.
The initial attack campaign was first made public by FireEye April 26. It initially was extremely targeted in nature, designed to infiltrate U.S.-based organizations with ties to the defense and financial sectors. Once the campaign was uncovered, the attacks expanded to firms in the government energy sectors as well as organizations with headquarters in Europe, said Christopher Glyer, a technical director at FireEye.
The reality is that the threats impacting users of Windows XP have outpaced Microsoft's ability to protect them, said Adrienne Hall, general manager of Trustworthy Computing at Microsoft. Businesses still holding on to the operating system should upgrade to a more modern operating system, which has improved security mechanisms to make attacks more difficult, Hall wrote in a message to customers.
"Our modern operating systems provide more safety and security than ever before," Hall said. "The latest version of Internet Explorer has increased support for modern Web standards, better performance, and expanded the ability to deliver an immersive experience from within the browser."
Windows XP was released during a time period when Nimba and Red Alert, two early computer worms, caused widespread havoc, but the threats were designed to be mischievous, not compromise the entire environment, said Greg Williams, a security compliance consultant at MMIC Group, a policyholder-owned medical liability insurer in the Midwest that operates a security services and consulting arm. A lot of small and midsize organizations hold onto systems regardless of the underlying operating system and lack of maintenance, Williams said.
"We're in an age where there are significant vulnerabilities and an organized criminal element that are targeting them in a massive scale," Williams said. "Unfortunately, too many business owners fail to take precautionary measures until it's too late."
This may be the last slow refresh cycle we see in the platform market because more organizations are embracing cloud services, which can be updated and refreshed quickly and with minimal hardware costs, said Peter Hesse, president and founder of Chantilly, Va.-based solution provider Gemini Security Solutions. The Windows XP attack surface will significantly increase over time, eventually pushing organizations to seek an upgrade or consider alternative platforms to reduce risk.
"Now that the general public is more aware of the risks that can be presented by these types of vulnerabilities, a lot of researchers are going to try to make a name for themselves by releasing information about these things," Hesse said. "We are going to continue to see these things pop up and some might be truly catastrophic and some might not pose too much risk, but the process to determine the risk exposure is going to only get trickier for organizations with Windows XP systems."
PUBLISHED MAY 5, 2014