XP U-turn on zero-day attack

Microsoft's decision to provide additional patching could come back to "haunt" company, experts warn.

Hackers preparing 'wild west' zero-day assault on Windows XP
Hackers preparing 'wild west' zero-day assault on Windows XP

Microsoft has performed a major U-turn and decided to fix a zero-day flaw in its XP operating system that is now being actively exploited by suspected Chinese cyber-criminals targeting EU-based organisations.

The emergency fix will help the estimated hundreds of millions of users still running XP, which Microsoft officially stopped supporting last month - but experts have warned the move may come back to ‘haunt' the company.

Microsoft acted after security firm FireEye said that the remote code execution flaw it first revealed on April 26 to be targeting users of Internet Explorer versions 9, 10 and 11 running Windows 7 and 8, is now also being used against IE 8 users running XP.

FireEye threat research director, Darien Kindlund, gave more details in an interview with SCMagazineUK.com. He said that the exploit – which allows hackers to gain access and user rights to victims' computers - is being used by an APT attack group called Clandestine Fox, which FireEye suspects is Chinese, and another crime group from the same region to whom Clandestine Fox gave the exploit.

Kindlund said FireEye has seen the spear phishing-based attack being used against 10 or 11 organisations in the defence, financial, government and energy sectors – most of them multinationals with their headquarters within the EU. He said it's likely there will be other victims.

It was this escalation of the attack that tipped Microsoft into rushing out a fix for XP as well its newer operating systems in a highly unusual “out-of-band” release, ignoring its usual Patch Tuesday cycle of fixes.

Announcing the patch in a 1 May blog post, Microsoft group manager Dustin Childs said: “We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. While we've seen only a limited number of targeted attacks, customers are advised to install this update promptly.”

But while welcome to XP users, experts warn the decision could backfire on Microsoft.

Brian Honan, head of Dublin-based independent consulting firm BH Consulting, told SCMagazineUK.com via email: “While some may think it is laudable for Microsoft to provide this patch for Internet Explorer on Windows XP, it may be a decision that could come back to haunt them later.

 “This move by Microsoft to provide an ‘exception patch' sends a confused message to those still on Windows XP. Their expectations may now be set to expect Microsoft to continue to provide exemption patches for future issues. This could delay the migration of many computers away from XP to more secure alternatives.”

Christopher Boyd, malware intelligence analyst at security firm Malwarebytes, agreed. He told SCMagazineUK.com: “On the one hand, Microsoft releasing a ‘special' patch to fix the recent Internet Explorer exploit for users of Windows XP is a sensible move. There's no point putting all those users at risk when the operating system has only recently been killed off.

“However, we may be training XP users to stick with their systems in the hope that Microsoft may release similar patches in future and ultimately we all want those people to move to a more secure OS. They can't prop it up forever, at some point you will see the company draw a line in the sand.”

FireEye's Kindlund said: “It's a very difficult situation from the perspective of Microsoft. Obviously they want to motivate their users to migrate away from this out-of-date ancient platform but at the same time they don't want to leave all the current users of this OS to be completely vulnerable.”

Kindlund told SC that Microsoft decided to issue the patch after FireEye found the exploit was being crafted to be used against Windows XP running IE 8, “which was kind of disturbing”.

“We had in-the-wild proof that the exploit was getting worse. We relayed that over to Microsoft to emphasise that this is going to get worse, there needs to be a patch rolled out sooner rather than later. And literally the day before Microsoft released their patch we then started to see this particular threat group actually hand over the exploit to at least one other threat group.

“That was yet another reason why Microsoft decided to roll out the patch to support all these other out-of-date platforms.”

Kindlund said the threat groups were suspected to be from the same world region, sharing tools but with different delivery methods. Asked if they are from China, he said “We do not have conclusive evidence” but “that's our current suspicion.”

He said at least one US-based firm had been targeted; the others were multinationals with headquarters based in the EU. There were four clusters of spear phishing attacks, with 10-11 victim firms observed.

He added: “Our visibility of this threat is not conclusive, there are likely other victims that have not come forward.”