Tuesday, April 29, 2014

Windows XP users, you have to stop using Internet Explorer right now

US-CERT is aware of active exploitation of a use-after-free vulnerability in Microsoft Internet Explorer. This vulnerability affects IE versions 6 through 11 and could allow unauthorized remote code execution.

US-CERT recommends that users and administrators review Microsoft Security Advisory 2963983 for mitigation actions and workarounds. Those who cannot follow Microsoft's recommendations, such as Windows XP users, may consider employing an alternate browser.
The CERT is the Computer Emergency Response Team* which has been around since the late 1980s (!).  Back then there were about 200 of us who cared about security.  These guys have been in the business for a long, long time.

Their point about XP users "considering" using a new browser is just politeness and professionalism.  Others in the press are less restrained: US, UK advise avoiding Internet Explorer until big fixed:
The Internet Explorer bug, disclosed over the weekend, is the first high-profile computer threat to emerge since Microsoft stopped providing security updates for Windows XP earlier this month. That means PCs running the 13-year-old operating system will remain unprotected, even after Microsoft releases updates to defend against it.
XP users, you've had a long, good run.  It's over now.

"Everybody should be moving off of it now. They should have done it months ago," said Jeff Williams, director of security strategy with Dell SecureWorks.

Roger Kay, president of Endpoint Technologies, expects several hundred million people running Windows XP to dump those machines for other devices by the end of the year.
Like the old saying from the bartender, you don't have to go to a new browser but you can't sleep on this one anymore.  The bad guys have been waiting for the last XP security update.  It's like the U-Boats waiting for the escorting destroyers to sail over the horizon, leaving the convoy behind.  Now it's open season.  On you.

XP users, stop using Internet Explorer, effective immediately.  Do not pass Go, do not collect $200.  If you're reading this in IE, close the window right now.

I can't recommend Firefox, which is coded by fascists or their running dog dupes.  I can't recommend Chrome because it's from Google, and they're evil.  Opera is OK for now, but quite frankly your options are limited and will be worse each month from now on.  As I said, the U-boats are gathering, and it will be the "Happy Time" for them against all the XP users.

You've come to the end.  Now it's time to come to a decision on what to do next.  That will be the next post.

* They call the "R" "readiness", but they've been around so very long that old security hands like me go by their old (and quite frankly, better) name.


Dave H said...

Now hang on. "IE is hit! Abandon XP!" That doesn't follow. Every XP user in the world could upgrade to Win 8.X today, but they still wouldn't be safe from this Internet Explorer exploit.

Is it bad? Sure. But I think Microsoft is engaging in a little bit of FUD to get people to move off of XP quicker.

Borepatch said...

Dave, this is only one of many, many problems that XP users will encounter. Microsoft will get a fix for Windows 8 (and 7), but not for XP.

My next post will go into this in somewhat more detail.

DOuglas2 said...

I've got a few machines still on XP, all are acting as controllers for specialized hardware, or connected to peripherals that don't have drivers beyond XP. For something that is used 8 or 9 times a year, and where the computer never needs to connect to a network, I don't see much point fixing a tool that works just fine as it is...
Even so, it's good to know that IE is hosed, just in case the temptation strikes to play farmville when I'm bored in one of those facilities.

Dave H said...

BP: I'm not arguing that people shouldn't move off of XP (with a few carefully controlled exceptions, like in the comment above). Just that the breach du jour isn't XP's fault, in spite of what Microsoft is saying.

newrebeluniv said...

Amazing. XP has been around for 13 years and despite weekly updates for the past 13 years, they are STILL finding bugs with it. How is this possible? I get that operating systems are very complex, but shouldn't all the back doors and exploitation paths have been found after 13 years? Seriously? there are still "remote activation" resources that are just now being discovered?

Borepatch said...

DOuglas2, isolated, special purpose machines will face less risk. Keeping them off a network is even better.

DaveH, the problem is that we'll see this repeat every month. XP risk will increase monotonically until people migrate. The fact that this wasn't XP's "fault" really doesn't change anything.

newrebeluniv, this is typical in the software field.

ordnancecorner said...

I'm somewhat enjoying the massive freak out here about internal sites that require IE since the CIO sent out a message saying not to use IE for any reason. From what I read unless those sites get compromised they would be fine to access just those sites. After applying the recommended configuration changes of course.

Eck! said...

This is new, how?

It its long history Internet Exposure (IE) has nothing but security issues.

As to FUD to get people off XP, read the technote It affects IE6 though 11 (11 is supplied with Win-8).. That means most every version of IE on every current as well as past versions of the OS has this vulnerability.

Every system I ran before jumping to Linux had IE thoroughly removed from the disk and system. Why because that and some of the other M$ cruft like Outlook and Office. Everyone of them were replaces with third party tools that did the same or better. Finally I got tired of the merry go round and went with an OS that is less painful to maintain.


foxmarks said...

Been browsing with Pale Moon on Win7 and Ubuntu for a couple of weeks. Wish I would have dumped Firefox sooner.