Microsoft gave plenty of warning about the end of Windows XP support. Now it’s time to see what happens when a high-priority security advisory is issued and Windows XP users can’t get their hands on the fix.
Security researchers at FireEye have uncovered a flaw in the way Internet Explorer references available memory that was in use by the Adobe Flash plug-in (known as a use-after-free exploit). Amazingly, this particular flaw affects IE 11 and the previous five versions. Yep, all the way back to Internet Explorer 6, which is still in use by some despite concerted efforts by tech types (including Microsoft themselves) to kill it.
According to FireEye’s post, a specially-crafted Flash file is what allows attackers to compromise IE. Once they’re in, an attacker can do just about whatever they want — what Microsoft refers to as “remotely executing arbitrary code.”
The good news is that you’re not likely to stumble across this particular attack if you stick to trustworthy websites. It’s the kind of thing that typically pops up on shady screensaver and video sites. Also, it’s worth knowing the attacker has the same privileges as the user who was logged in when Internet Explorer was compromised.
If you’re one of the select few who has configured your Windows accounts in such a way that you don’t actually use it with an administrator account, then the bad guys will only be able to do things that your guest account can.
And since this particular attacks relies on Flash Player, you’re safe once you remove it from your system (assuming you had it installed in the first place). The bad news is that you’ve already got both IE and Flash if you’re using Windows 8, 8.1, or RT — and there’s really no way to get rid of it.
You can, however, turn on IE’s Enhanced Protected Mode and protect yourself until the patch is delivered. To turn it on, open the Internet options screen in IE, go to the advanced tab, and scroll down to the security section. Flick on Enable Enhanced Protection Mode, click OK, and restart IE. You should be safe once that’s done.
Another alternative is to use a different web browser. The switch doesn’t have to be permanent, of course, but it really should be if you’re still running IE6 or you’re still ignoring the Windows XP warnings. You’ll be safe from this particularly attack if you change to Chrome or Firefox, but this is the first critical update that you’re going to miss out on.
There will be others, and every time a new flaw is discovered and you miss out on a patch it’ll get riskier and riskier for you to use XP on the Internet.
