As Microsoft rushes to fix a major security defect in its popular Web browser, Internet Explorer, one enormous group of computer users will remain vulnerable to the bug: the 488 million people worldwide who still rely on Windows XP to power their computers.
Microsoft (NASDAQ:MSFT) discontinued support for the 12-year-old operating system on April 8 and ceased offering updates on it to protect users against threats, effectively leaving customers to fend for themselves in a world increasingly susceptible to security flaws exploited by malevolent forces. So as Microsoft eventually releases patches that fix Internet Explorer for those using other operating systems, it says that XP users will go without.
Some advocates demand that Microsoft provide a patch for XP users. They note that the Seattle-based software giant cashed in on enormous sales of XP, suggesting that this creates a moral imperative – if not a legal obligation – to make sure users can surf the Web safely. A dozen years after XP's release, some 27 percent of computers worldwide rely on the system.
“Microsoft succeeded in getting a lot of users into a position where they were completely dependent on XP, but subsequently made the technical and strategic decision to stop working on that outdated codebase,” Peter Eckersley, technology projects director for Electronic Frontier Foundation, told International Business Times. “That has left a lot of people stranded.”
FireEye, the cybersecurity firm and Microsoft security partner that found the flaw, announced over the weekend that even the latest versions of Internet Explorer are vulnerable, with IE9 to IE11 (the latest version) targeted by hackers trying to get intel on U.S. financial institutions and the military. FireEye has dubbed the team of hackers “Operation Clandestine Fox.”
The IRS, as well as governments in the U.K. and Netherlands, now pay Microsoft to continue providing support for their XP systems. Some hospitals still use it in the U.S. and abroad, partly because they use software that regulators have not certified for use on newer operating systems. XP is used heavily in U.S. government-run facilities, especially schools, and its follow-up, Windows Vista, appeared during the financial downturn, leading many organizations to fall behind in updating. Eckersley says that unless Microsoft changes course and provides XP support, the continued use of the operating system “poses a dire threat to Internet security, both to those individuals and organizations who use it and to the network as a whole.”
While XP-using organizations and individuals have been urged to upgrade to a modern operating system like Ubuntu, ChromeOS or Windows 8, Eckersley said many won’t or can’t because of “strong forces of inertia” like bureaucratic certifications and the advanced hardware requirements for later versions of Windows.
“This problem affects all of us, not just organizations that are stuck on XP,” Eckersley said. “Important new security functionality cannot be widely used on the Internet, in cases where Windows XP systems are not compatible with it.” For example, the deployment of new Web security standards like HTTPS encryption have been delayed due to incompatibility with XP, he said.
Even if Microsoft cedes to criticism and patches Internet Explorer for XP, future threats will go unfixed. Eckersley said Microsoft should help the hundreds of millions of users stuck with an outdated OS by releasing XP under an open-source license.
“That would allow organizations being squeezed by security problems and the lack of an update path to work together on ameliorating the worst Windows XP security catastrophes,” Eckersley said, like the recent Internet Explorer bug.
Microsoft’s decision to stop providing extended support for XP has been a long time coming and consistent with its history of providing updates for products for only 10 years after their release. A Microsoft spokesperson told IBTimes that the company “no longer provides security updates for this operating system. Our advice to customers is to migrate to a modern OS, like Windows 7 or Windows 8.1.”
Microsoft also provided the following statement:
On April 26, 2014, Microsoft released Security Advisory 2963983 to notify customers of a vulnerability in Internet Explorer. At this time we are aware of limited, targeted attacks. We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalized.
Our investigation has revealed that Enhanced Protected Mode, on by default for the modern browsing experience in Internet Explorer 10 and Internet Explorer 11, as well as Enhanced Mitigation Experience Toolkit (EMET) 4.1 and EMET 5.0 Technical Preview, will help protect against this potential risk. We encourage customers to follow the suggested mitigations outlined in the security advisory while an update is finalized.
The security team responsible for finding the bug, FireEye, says XP users should immediately disable the Adobe Flash plugin for Internet Explorer, or stop using the browser altogether, using an alternative like Mozilla Firefox or Google Chrome. Both Mozilla and Google have pledged to continue support for those products on Windows XP until at least next year. The Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) also recommends avoiding Internet Explorer.
A spokesperson for the Federal Trade Commission, which sometimes investigates cybersecurity cases that affect consumers, told IBTimes that the agency would not comment on whether it would investigate the bug.
Follow Reporter Thomas Halleck on Twitter