A division within the United States Department of Homeland Security has warned against using old versions of the Internet Explorer browser, following the discovery of a security flaw that can lead to “the complete compromise of an affected system.” The flaw has led the division to advise the use of alternative browsers until Microsoft fixes the problem.
The flaw is the first major security problem found with the Windows XP operating system, which was released in 2001, since it was officially abandoned by Microsoft on April 8, 2014. The company warned Windows XP users that it would not be fixing any more problems with the software after that date — if they wish to keep their computers secure, users must use a different Web browser or upgrade their computers to a newer version of the operating system.
The problem is that Windows XP remains far more popular than many might expect. It is said to be the second-most popular desktop operating system around, even 13 years after its debut. It is used to power everything from your grandfather’s ancient computer (you know, the one with the slot for whatever the “Save” icon is modeled after) to ATMs and data servers. As long as the problem remains, those machines will be vulnerable to this attack.
The revelation comes as Microsoft works to change itself by acquiring Nokia’s phone division, creating an analogue to Google’s “moonshot” division, and updating many of its products and services. Knowing that it will be blamed for problems that arise after it stopped supporting a product 13 years post-release must be a bitter pill for the company to swallow. This as it struggles to create new products that will be used for a few days, let alone over a decade.
Reactions from around the Web
Reuters reports that some hackers have already taken advantage of the vulnerability:
News of the vulnerability surfaced over the weekend as Microsoft said its programmers were rushing to fix the problem as quickly as possible. Cybersecurity software maker FireEye Inc warned that a sophisticated group of hackers have been exploiting the bug in a campaign dubbed “Operation Clandestine Fox.”
FireEye, whose Mandiant division helps companies respond to cyber attacks, declined to name specific victims or identify the group of hackers, saying that an investigation into the matter is still active.
CNN Money notes the large number of machines powered by Windows XP:
But this bug is more omnipresent than it seems. Lots of machines use Windows — bank ATMs, point of sale systems, restaurant seating tools — and Internet Explorer is their default browser. If hackers manage to send them to a bad website, that machine is now under their control. It won’t be easy, but it’s possible.
‘You don’t think of them as Windows PCs running software,’ said Paco Hope, a consultant with software security firm Cigital. He advises that businesses talk to equipment vendors to determine how vulnerable they are.
But Bloomberg Businessweek reports that many of those machines will be safe:
There are other things that could protect XP users from attacks. The vulnerability exists in a Web browser, which means that it can only be exploited if victims use that browser to visit a website designed to attack them. “An attacker would have no way to force users to visit these websites,” wrote Microsoft in a security advisory. “Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message.”
This almost certainly means that this won’t lead to the kinds of devastating attacks on ATMs some security experts wrung their hands about earlier this year. Many ATMs and other industrial computers have been built around their operating systems, making it a difficult task to upgrade to a new OS. As a result, many continue to run XP even though their makers had ample warning to switch to a newer version of Windows.