Less than two weeks after Microsoft finally withdrew support for Windows XP and by extension Internet Explorer 8 and Microsoft Security Essentials for Windows XP, a serious security breach was discovered. Called a "zero-day" bug because no days elapsed between the time developers found the bug and its first exploit was discovered, the bug affects all versions of Internet Explorer.
That is the main point of this note. The bug affects Internet Explorer, not Windows XP.
I believe that is the reason Microsoft chose to issue the fix. Microsoft has worked hard on Internet Explorer (IE) from a security point of view. Any problem with any version of IE casts a pall over all versions of IE, something Microsoft's competitors can use to their advantage. The reputation of Internet Explorer is something Microsoft takes very seriously.
I have also suggested in these pages that Microsoft might address a security issue if it was deemed sufficiently catastrophic. That was surely the case here.
If you have automatic updates enabled on the XP systems you are using, the patch for this problem will be applied automatically. If you are manually updating, consult Microsoft's site for details, as it is important that this patch be applied after certain other patches are applied. The new patch is identified as KB2964358.
There are a few other things you should know.
- The fix is for IE8 only. IE7 and IE6 are not patched. If you need IE8 for a Windows XP system, go here.
- In my opinion, if this problem had been in Windows XP itself and not IE, Microsoft would not have issued the patch.
Microsoft's decision to address a security issue with Internet Explorer is not an indication that Microsoft will change its support policy for Windows XP. XP is dead. MSE for XP is dead. All my previous advice on this matter remains in effect.