The First Windows XP Security Problem Microsoft Won't Fix

Microsoft warned many of its customers that they were on their own earlier this month when it stopped supporting XP, an older but still widespread version of its Windows operating system. The software remains functional, but Microsoft won’t fix its newly discovered security holes, leaving those who haven’t upgraded to a newer version vulnerable to a future hacking attack. It didn’t take long to find one.

Over the weekend, computer security company FireEye said it had noticed a number of attacks on U.S. firms via a vulnerability in various versions of Microsoft’s Internet Explorer. If successful, the attacks can force a computer to run code of the attacker’s choosing, which could extract data or send spam. More than 26 percent of desktop computers used the affected browsers last year, according to NetMarketShare. FireEye gave the attack a name—Operation Clandestine Fox—but wouldn’t say much about the extent or targets of the attacks.

Microsoft is working on fixing the IE problem. The fix, though, will not be sent to machines running XP. As of the beginning of this month, XP was the world’s second-most-popular operating system in terms of Internet usage, according to StatCounter, and was the OS of choice of more than 18 percent of Internet users. In an e-mail to Reuters, the company suggested that people update their systems.

There are other things that could protect XP users from attacks. The vulnerability exists in a Web browser, which means that it can only be exploited if victims use that browser to visit a website designed to attack them. “An attacker would have no way to force users to visit these websites,” wrote Microsoft in a security advisory. “Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message.”

This almost certainly means that this won’t lead to the kinds of devastating attacks on ATMs some security experts wrung their hands about earlier this year. Many ATMs and other industrial computers have been built around their operating systems, making it a difficult task to upgrade to a new OS. As a result, many continue to run XP even though their makers had ample warning to switch to a newer version of Windows.

Aravinda Korala, the chief executive of KAL ATM Software, wrote earlier this month that any ATM Armageddon is a ways off. “Most bank ATMs are very well protected,” he wrote in ATM Marketplace, a trade publication. “They are connected on a private network with no Internet access. They are locked down tightly so that only the minimum functionality necessary for the ATM to operate is allowed.” For one thing, ATMs don’t click on suspicious links.

Before it's here, it's on the Bloomberg Terminal.