Pages

April 28, 2014

Microsoft's Internet Explorer Web Browser Has a Security Flaw

Hole Poses Particular Trouble for Anyone Who Runs Windows XP

Updated April 27, 2014 8:18 p.m. ET
A newly discovered security hole in Microsoft Corp.'s MSFT +2.88% Internet Explorer—the default Web browser for many users—could be particularly troubling for those still running Windows XP.
Microsoft on Sunday warned about a flaw affecting versions 6 through 11 of its flagship browser. The coding flaw would allow hackers to have the same level of access on a network computer as the official user, Microsoft said, which is a best-case scenario for intruders.
The company said it is aware of "limited, targeted attacks" that attempt to exploit the flaw. Microsoft didn't elaborate.


The Microsoft logo, atop the company's offices in Bucharest in March 2013. Reuters
FireEye Inc., FEYE -1.55% a security company that claimed credit for finding the hole, described it as part of a hacking campaign against U.S. financial and defense companies. It didn't provide further details.
FireEye said attacks have mainly been targeted at Internet Explorer 9 through Internet Explorer 11.
The bug affects the browser when used on multiple Microsoft operating systems. But the situation poses a special concern for people still using Windows XP.
The software was introduced in 2001, and Microsoft on April 8 stopped supporting XP with software updates—including security patches for the operating system and its browser. XP can run up to Internet Explorer 8.
"XP users are not safe anymore and this is the first vulnerability that will be not patched for their system," Symantec Corp. SYMC -0.20% researcher Christian Tripputi wrote in a blog post for the data-security company.

Windows XP, though outdated and plagued with security flaws, still runs on some 300 million machines. Microsoft offers extended support for corporate clients still running XP, but at a hefty price.
Despite its past statements, Microsoft could decide to make an exception and issue a patch that would aid XP users. The company, based in Redmond, Wash., didn't immediately respond to a request for comment.

"On completion of this investigation, Microsoft will take the appropriate action to protect our customers," Microsoft said in a security bulletin.
Sunday's disclosure, to a certain extent, was predictable. Microsoft had publicized widely its plans to stop supporting XP, and the dire consequences for some users were well-known.
But it isn't clear whether anyone expected a major XP flaw to be found three weeks after Microsoft ended support.

Morgan Marquis-Boire, a well-known security researcher, posted a link to Symantec's warning on his Twitter account Sunday, including the phrase "*gets popcorn*" to indicate that he expects a furor to result.

Source: http://online.wsj.com/news/articles/SB10001424052702304163604579528203760439722?mg=reno64-wsj&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052702304163604579528203760439722.html


Write to Danny Yadron at danny.yadron@wsj.com