updated 01:49 pm EDT, Thu May 1, 2014
Microsoft reverses course on earlier statement promising no software fix
Despite the update deadline having passed on Windows XP, Microsoft has issued an emergency patch to fix a major problem affecting users of the elderly operating system using Internet Explorer and Flash. The fix is currently available to Windows XP Service Pack 3 owners through the briefly resurrected Windows Update tool.
The exploit uses Adobe Flash to access memory and bypass Windows' ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) protection systems. Using the attack vector, an attacker able to redirect a victim to visit a specially created site with a prepared Flash file could potentially execute code on the target computer, installing malware and gaining control of the PC.
"We decided to fix it, fix it fast, and fix it for all our customers," spokeswoman Adrienne Hall said in a statement about the unexpected action by Microsoft. The exploit targets Internet Explorer 9 through 11, but the flaw itself exists all the way back to Internet Explorer 6.