In a surprising reversal of policy, Microsoft has decided to issue a patch for Windows XP-based users of their Internet Explorer Web browser, Reuters reports. The flaw was slated to go un-patched for Windows XP, which would have permanently left the versions of Internet Explorer that are compatible with the dated OS vulnerable to the flaw. Microsoft reportedly stated as recently as Wednesday that the bug would be left untreated for XP.
“We decided to fix it, fix it fast, and fix it for all our customers,” Microsoft spokeswoman Adrienne Hall said in a statement.
This comes after Windows XP users were warned by the U.S. Department of Homeland Security to stop using Internet Explorer because of the threat posed by the vulnerability. The DHS recommended using alternative Web browsers instead, like Google Chrome, or Mozilla Firefox.
Microsoft described the security hole as “a remote code execution vulnerability” which “could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer.” Internet security firm FireEye stated today in an official blog post that hackers were using the flaw to target government, energy, defense, and financial industries. However, attacks on the latter two sectors had already been observed by FireEye.
The zero-day bug threatened Internet Explorer versions 6 through 11, though workarounds have been available for Internet Explorer 10 and Internet Explorer 11. However, those versions of the browser aren’t compatible with Windows XP. The last version of Internet Explorer that was compatible with Windows XP was IE 8, according to Microsoft’s IE system requirements pages. IE 8’s “lifecycle start date” was June 17, 2009.
Microsoft ceased supporting Windows XP on April 8. However, should additional threats like this emerge, it’ll be interesting to see whether Microsoft will take similar steps to protect Windows XP users from such dangers.