Software giant Microsoft has released a fix to a critical vulnerability that hit its Internet Explorer Web browser over the weekend, and it has even fixed the flaw in versions for Windows XP, for which official support recently ended.
Microsoft announced the move in a company blog post earlier today. “This means that when we saw the first reports about this vulnerability, we said fix it, fix it fast, and fix it for all our customers. So we did,” Microsoft’s Adrienne Hall wrote.
Dustin Childs, a Microsoft security manager, wrote in a separate post that the company had seen only “limited targeted attacks” exploiting the vulnerability, but customers are advised to update their software as fast as they can, though most will see it updated by default.
Separately the security company FireEye said it had seen an increase in attacks using the vulnerability, which it has dubbed “Operation Clandestine Fox.” Initially it had spotted attacks only on versions 9, 10, and 11 of Internet Explorer running on Windows 7 and 8. That changed, it said, to include Windows XP and IE version 8.
FireEye added that the attacks have spread to new targets: “We have also observed that multiple, new threat actors are now using the exploit in attacks and have expanded the industries they are targeting. In addition to previously observed attacks against the Defense and Financial sectors, organizations in the Government and Energy sectors are now also facing attack.”
Disclosed in an unusual Saturday alert from Microsoft, the vulnerability by one estimate affected more than 56 percent of the world’s Web browsers currently in use. It’s a remote code execution vulnerability, which means an attacker can make a target computer run software after a successful attack. “The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer,” Microsoft’s alert said.
The pressure on Microsoft to fix the bug — even in Windows XP, a 13-year-old OS which it recently stopped officially supporting — was high as government computer security agencies in the U.S., the U.K. and Germany had advised against using IE until the flaw was patched.