Internet Explorer Zero-Day Turns into Permanent Threat for XP Users

A new Internet Explorer zero-day vulnerability is currently being exploited in the wild. The vulnerability identified on Saturday affects all versions of Internet Explorer, including the archaic versions 6 through 8 which ship with the now-dead Windows XP.

Update: the folks at Microsoft have issued a patch for the issue. Oddly enough, the patch has been made available for Windows XP users as well. UPDATE NOW!

Internals of the exploit

This newly discovered flaw, also known as CVE-2014-1776 leverages a Flash exploitation technique that loads a SWF file to corrupt process memory and direct the program’s flow to a memory location where malicious code is laid out. This exploitation technique can bypass the two most important security mechanisms in Windows: DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization)


While a zero-day attack against an application as popular as Internet Explorer is serious business, things are even worse for a special category: the Windows XP users. Less than three weeks ago, Microsoft shipped the last security update for 20-something percent of Windows users with the firm promise that it would be the last one ever.

Windows OS breakdown by popularity – source: Bitdefender Labs data

Another significant issue is the fact that Windows is closely tied to Internet Explorer – it is an important component of the operating system that is hardcoded in every edition of the OS, even after the installation of the EU-friendly Browser Choice update.

Last, but not least, many still think that computer users running Windows XP are using ANYTHING but Internet Explorer on their setups. While this may be true for regular users, the situation in enterprise environments is exactly the opposite. Actually, this is one of the reasons companies have lagged behind for so long with the upgrade process: the incompatibility of their custom applications with Internet Explorer versions 7 and up. Which is why, 12 years later, Windows XP is still world’s second most popular operating system. And, if you’re thinking about the cost of migration, now you should be thinking about the cost of not migrating.

Now, strap yourself for the really bad news

Whenever a zero-day exploit against the browser is discovered, it is just a matter of days until it becomes public knowledge (read: it is pushed in an exploit pack or in a penetration testing framework such as Metasploit), making payload generation a breeze even for the unexperienced. This means that in just a couple of days, we’re going to see all (or at least the most important) exploit packs updated to automatically throw freshly baked malicious code at completely unprotected users. And, while this will soon be over for users of supported versions of Windows, as Microsoft is readying a fix, XP users will remain vulnerable forever.

What to do now?

If you’re using a 64-bit version of Windows, you can run Internet Explorer in “Enhanced Protected Mode” and enable 64-bit process mode. If you’re stuck with XP though, there is no way to do this simply because a) x64-bit Windows XP is a rarity, as it’s always been and b) Enhanced Protected Mode is only available for IE10 and IE11. In this case, you can only pray that your antivirus detects the exploitation as it goes on and blocks the payload before execution.

Regular users who rely on Windows for day-to-day tasks should install an alternative browser until the issue gets an official patch from Microsoft. In the case of Windows XP users, they should adopt, if possible, a different, third-party browser permanently as they will not get the fix via Automatic Update. If you’re a sysadmin maintaining a Windows XP computer network, then you’re probably in for overtime: make sure that you run an antivirus solution with exploit detection features and that you’re disallowing access to the Internet from machines running vulnerable versions of the browser.

Bitdefender offers Safepay, a hardened browser that is immune to exploitation and functions on all versions of Windows. You can download it for free immediately as a standalone product or you can use it right away if you have Bitdefender Internet Security or Total Security installed.

A final word of advice: this is just the first of a presumably long series of security issues that Windows XP users will encounter in the near future. Windows XP had a good run in its 12+ years on the market, but now it’s time to say goodbye and move on.


About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.


Click here to post a comment
  • This is a boon to Microsoft, since now we are forced to buy their new operating system.

    Do you really think we would have chosen this road 20 years ago if we were told that a new operating system would be forced on us when Microsoft chose to?

    Its like saying the car you bought can no longer be driven or your refrigerator would blow up after a certain date.

    Its inconceivable that consumers would bow down to this aggressive marketing, and I wonder if MS doesn’t assist with hacks that would drive their market?

    After all, it is the “free market” LOLOL except that its fixed.


    • Hello, Mike and thanks for your insight. I totally agree with the fact that you should be able to use the product that you have been licensed for as long as you want, and this is actually what Microsoft lets you do. What they said is that they won’t be providing updates for the product and they said it loud and clear more than one year ago.

      I beg to differ though for your car analogy. I had a car that has been built in the 70s. Not only that I couldn’t find spare parts anymore (updates) because the manufacturer had long since discontinued that assembly line to build newer, better cars, but security wise, my car was a hazard to myself and others. It did not have airbags (I think they were not invented by the time it left the assembly line), did not have safety belts for the back seats and did not comply with any environmental regulations whatsoever. Fortunately for me, the decision to retire it was easier, as it was made by the police. Unfortunately, there is no Internet police to retire old OSes and make it easier for us all.

      Unlike the police, Microsoft does not force anything on us: you can “drive” your XP os for as long as you want, whenever you want and however you want. The only difference is that there will be no airbag to save you when things go horribly wrong. Nothing lasts forever, not even software.

  • The car analogy is reasonable in one sense. In the UK it is entirely possible to run a classic 70s or older car. One critical adaption necessary is to run on lead replacement fuel as leaded fuel is no longer sold. Seatbelts are easily fitted too. Airbags not required. Apart from that as long as it has been maintained/restored and passes road worthiness tests you would be good to go.

    The same ethos applies with a 14 yr old PC (it is roughly the same rate of development PC wise). It might not cope with Windows 7 or 8 but there is life in the old dog yet.

    The hardware may be more than a few generations old and the installed OS may have had it but the computer can still be used. I switched two of mine to Fedora MATE. They run flawlessly and are by virtue of Fedora philosophy and development community constantly up-to-date. Everything I did with them on XP I can do in Fedora in much the same way without a massive learning curve.