Microsoft isn’t quite yet ready to abandon its Windows XP users to security threats. Today Microsoft is releasing an emergency out-of-band update for a zero-day vulnerability, identified as CVE-2014-1776, that was first publicly disclosed on April 26.
The Internet Explorer flaw impacts versions 6, 7, 8, 9, 10 and 11 of the Web browser with a remote code execution vulnerability. CVE-2014-1776 is particularly noteworthy in that it is the first publicly reported flaw that impacts the Windows XP operating system since that operating system officially hit its end of life with Microsoft’s April 8 Patch Tuesday update.
“The security of our products is something we take incredibly seriously,” Adrienne Hall, general manager of Microsoft Trustworthy Computing, said in a statement. “When we saw the first reports about this vulnerability we decided to fix it, fix it fast, and fix it for all our customers.”
Although Microsoft is providing an update for Window XP users, that doesn’t imply that Microsoft is now changing direction and extending support for Windows XP overall.
“We have made the decision to issue a security update for Windows XP users,” Dustin Childs, group manager of Microsoft Trustworthy Computing, wrote in a blog post. “Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1.”
There are a few things that make this update really interesting.
For one, this is the first out-of-band security update for IE so far in 2014. Microsoft usually only issues security updates on the first Tuesday of every month, and to go out-of-band is not all that common, even for zero-day flaws. On Feb. 13, FireEye reported the CVE-2014-0322 IE zero-day security vulnerability, which Microsoft did not patch until Tuesday, March 11, in a Patch Tuesday update.
The fact that Microsoft has also included Windows XP users is also interesting. Many had assumed that Window XP users would now be at risk from all new flaws that pop up, but this incident proves that’s not necessarily the case.
Microsoft is taking security seriously, even for those that it claims it no longer wants to support.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.