The IE security flaw that was uncovered this past weekend may only the beginning of post-retirement woes for the family of Windows XP operating systems. The tech community has had to accept that Windows XP is retired, with no further patches or updates as of April 8^th.  Going even further than your typical flaw announcement, the details unearthed by security service provider FireEye indicate that a number of attacks have been detected in the wild. These were traced to a known cybercriminal group.

It is reasonable to deduce that the exploit for this flaw is most probably by now well-known in cybercrime circles. Exploits, malware and information are quickly traded commodities, exchangeable for goods or other forms of compensation.

The potential impact on such a large base of targets built on the 12-year old Windows XP operating system is an ominous threat. This will likely continue to be the case, as it is likely that many flaws and vulnerabilities are yet to emerge and a certain number of XP systems will continue to exist.

Workarounds for those currently affected include installing and using Firefox, Chrome or other alternative browsers.  However, one of the many reasons businesses may have stuck with Windows XP was having legacy applications and APIs bound to Internet Explorer, making the idea of just switching browsers a moot solution.

How could an attacker exploit the vulnerability?

 .

Microsoft’s Technet site discloses the severity and risk of this issue:

 
An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker’s website, or by opening an attachment sent through email. 

If there is one silver lining it’s that the flaw requires visiting a specially crafted website in order to be exploited. If businesses have practiced reducing the exposure of Windows XP systems in the environment through restrictive configuration, their risk may be reduced significantly.  In other words, if a Windows XP system exists on the network, ideally it has been configured to only access the sites it needs IE to access.

Additionally, Microsoft has published more advanced methods to reduce exposure to this flaw within its service advisory, disclosing the flaw.

Still lurking in the danger zone, it remains to be seen what the latest industry numbers are in relation to installed Windows XP systems. Seeing how a patch for a vulnerability like this could easily be applied to Windows XP systems, there may be public pressure from the security community to release some kind of crisis-level patch.  It has been long-suspected that the cybercrime community has been holding on to zero-day vulnerabilities and exploits in order to capitalize on this XP situation.  Though this flaw may not exactly be pinned to that zero-day hoarding yet, I must express my continued concern that this may be the shape of things to come.   

photo credit: wintersoul1 via photopin cc