Don't say we didn't warn you. Microsoft ended support for Windows XP earlier this month, meaning any new security holes won't be patched. Well, they've found one, and it's a doozy. Affecting Internet Explorer versions from 6.0 through 11, this bug lets the bad guys execute arbitrary code on your system. As soon as you visit a gimmicked website, you're pwned. Other Windows versions will get patched, but not XP.
You may remember that Windows XP never advanced beyond IE8. Researchers at FireEye say the attacks they've seen are targeting IE9 and later, but that doesn't mean earlier versions couldn't be hit.
How it Works
Microsoft has been building attack-resistance technology into Windows for years now. Data Execution Prevention (DEP) blocks a whole range of attacks that worked by sneaking code into data areas and forcing its execution. Address Space Layout Randomization (ASLR) foils attacks that rely on finding and subverting specific code segments in known applications. According to a Microsoft security advisory, attacks exploiting this vulnerability can bypass both DEP and ASLR.
According to a Bitdefender report, the attack "leverages a Flash exploitation technique that loads a SWF file to corrupt process memory and direct the program's flow to a memory location where malicious code is laid out." This suggests that an IE installation without Flash installed might be safe, but I wouldn't count on it. The Bitdefender report also points out that 20 percent of Windows users are stuck on XP, many of them in enterprise environments.
What Can You Do?
First and foremost, as we've said before, if you're still running XP you must stop using Internet Explorer! Any other browser will be better, and all of the alternatives are still updating XP users. You can't truly get rid of IE, because it's too enmeshed in the operating system. But you can at least delete all shortcuts that point to it, so you don't launch it accidentally.
The Microsoft report on this vulnerability includes a large collection of suggested actions, many of which are valid for XP users with sufficient technical skill. The report advises deploying the Enhanced Migitation Experience Toolkit 4.1, setting Internet and Local security zones to "high," and unregistering a particular DLL, among other things.
Those running a post-XP Windows will get an update, once Microsoft figures out the patch. In the meantime, if you're running 64-bit Windows you can tweak a couple of settings for protection. Open Internet Properties and click the Advanced tab. Check the box to Enable Enhanced Protected Mode, and also check the box to Enable 64-bit Processes for Enhanced Protected Mode. Once you reboot, you'll be safe.
Really, though, this should serve as a wake-up call for XP users. Things are only going to get worse. As the Bitdefender paper states, "Windows XP had a good run in its 12+ years on the market, but now it's time to say goodbye and move on."