Windows XP Critical zero-day exploit – Internet Explorer all versions affected & no fix in sight


Security firm FireEye announced Saturday (April 26) on a previously unknown exploit in Microsoft’s Internet Explorer browser CVE-2014-1776. A patch to fix the flaw is not yet available.

What versions of Internet Explorer running on Windows XP affected?

On that day, Microsoft announced that IE versions 6 through 11 were at risk of drive-by attacks from malicious websites. Windows XP is capable of running IE 6, 7, and 8 but attackers are focused on IE 9, IE 10 and IE 11 all of those account for a quarter of global browser market share.

This new remote code execution vulnerability CVE-2014-1776, gives hackers the same rights as the currently logged in user. Users that run their computers as an admin account are the most affected by this since new accounts and file permissions globally on the computer can be changed. Unfortunately most Windows XP users run their PCs under an admin account.

Now What?

No word from Microsoft if they will issue an emergency patch, we’ll need to wait for Patch Tuesday on May 13 to see if they offer one.

Windows XP users should use another browser such as Chrome or Firefox until a patch becomes available or upgrade to a new version of Windows such as Windows 7 or Windows 8.1. If you need to use IE, disabling all Adobe Flash browser plugins in will also stop the attack, since Flash is a necessary for the attack to work. You should download and  install Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) version 4.1, which is available free from Microsoft to improve Windows security.

A few other things you can do

You can disable a feature in IE called “Active Scripting” will prevent Flash from running in the browser. Microsoft says that disabling an extension “VGX.dll” that Internet Explorer  will also stop the attack. VGX.dll makes vector graphics rendering in the browser. Lastly, running your XP computer using a limited user account will mitigate the attack but will only stop them from affecting the PC and just your user account. The safe bet is to upgrade to Windows 7 or Windows 8.1 with a new PC.

Jason Tucker

Jason Tucker

Web Developer at Tucker Pro
Jason Tucker is a web developer, systems administrator and a father of three. Jason owns Tucker.Pro a web development company and is host of WPwatercooler a weekly WordPress web development and design YouTube channel and podcast. Jason also blogs over at WPMedia.Pro where he talks about working with audio and video on the web.
Jason Tucker
Jason Tucker