By Danny Yadron
A newly discovered security hole in Microsoft Corp.'s Internet
Explorer--the default Web browser for many users--could be
particularly troubling for those still running Windows XP.
Microsoft on Sunday warned about a flaw affecting versions 6
through 11 of its flagship browser. The coding flaw would allow
hackers to have the same level of access on a network computer as
the official user, Microsoft said, which is a best-case scenario
for intruders.
The company said it is aware of "limited, targeted attacks" that
attempt to exploit the flaw. Microsoft didn't elaborate.
FireEye Inc., a security company that claimed credit for finding
the hole, described it as part of a hacking campaign against U.S.
financial and defense companies. It didn't provide further
details.
FireEye said attacks have mainly been targeted at Internet
Explorer 9 through Internet Explorer 11.
The bug affects the browser when used on multiple Microsoft
operating systems. But the situation poses a special concern for
people still using Windows XP.
The software was introduced in 2001, and Microsoft on April 8
stopped supporting XP with software updates--including security
patches for the operating system and its browser. XP can run up to
Internet Explorer 8.
"XP users are not safe anymore and this is the first
vulnerability that will be not patched for their system," Symantec
Corp. researcher Christian Tripputi wrote in a blog post for the
data-security company.
Windows XP, though outdated and plagued with security flaws,
still runs on some 300 million machines. Microsoft offers extended
support for corporate clients still running XP, but at a hefty
price.
Despite its past statements, Microsoft could decide to make an
exception and issue a patch that would aid XP users. The company,
based in Redmond, Wash., didn't immediately respond to a request
for comment.
"On completion of this investigation, Microsoft will take the
appropriate action to protect our customers," Microsoft said in a
security bulletin.
Sunday's disclosure, to a certain extent, was predictable.
Microsoft had publicized widely its plans to stop supporting XP,
and the dire consequences for some users were well-known.
But it isn't clear whether anyone expected a major XP flaw to be
found three weeks after Microsoft ended support.
Morgan Marquis-Boire, a well-known security researcher, posted a
link to Symantec's warning on his Twitter account Sunday, including
the phrase "*gets popcorn*" to indicate that he expects a furor to
result.
Write to Danny Yadron at danny.yadron@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires