Although Microsoft officially discontinued support for XP as of April 8, the threat here would seem to be too great for it to take a hard line on not issuing a patch, considering that millions of PCs, perhaps close to a third of all PCs, still use the operating system.
Also, the original exploit, being used by a sophisticated advanced persistent threat (APT) group, targets IE9 through IE11 (which represent a quarter of the world’s internet users). However, the needle has already moved as attackers are specifically targeting XP users running IE8. It could broaden further as well, considering that the vulnerability actually affects IE6 through IE11.
“We have…observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting,” said researchers at FireEye, in a blog. “In addition to previously observed attacks against the defense and financial sectors, organizations in the government and energy sectors are now also facing attack.”
They added, “Today, FireEye Labs can reveal a newly uncovered version of the attack that specifically targets out-of-life Windows XP machines running IE 8. This means that live attacks exploiting CVE-2014-1776 are now occurring against users of IE 8 through 11 and Windows XP, 7 and 8,” the FireEye researchers said.
The exploit leverages a previously unknown use-after-free vulnerability, and uses a well-known Adobe Flash exploitation technique to achieve arbitrary memory access and bypass Windows address space layout randomization (ASLR) and Data Execution Prevention (DLP).
Microsoft has assigned CVE-2014-1776 to the flaw and has released a security advisory noting that the vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within IE. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. The purpose, of course, is to gain control of the machine and lift sensitive information; an attacker who successfully exploits this vulnerability would gain the same user rights as the current user.
Ignoring XP in this case would be too reckless. “The security of our products is something we take incredibly seriously. When we saw the first reports about this vulnerability we decided to fix it, fix it fast and fix it for all our customers,” said Adrienne Hall, general manager at Microsoft Trustworthy Computing, in a blog.