May 1, 2014

MicrosoftΒ has issued an emergency security update to fix a zer0-day vulnerability that is present in all versions of its Internet Explorer Web browser and that is actively being exploited. In an unexpected twist, the company says Windows XP users also will get the update, even though Microsoft officially ceased supporting XP last month.


The rushed patch comes less than five days after the software giant warned users about active attacks that attempt to exploit a previously unknown security flaw in every supported version of IE. This flaw can be used to silently install malicious software without any help from users, save for perhaps browsing to a hacked or malicious site.

“We have made the decision to issue a security update for Windows XP users,” writes Dustin C. Childs, group manager, response communications at Microsoft. “Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.”

Microsoft says the majority of customers have automatic updates enabled and will not need to take any action because protections will be downloaded and installed automatically. Windows users who don’t take advantage of the automatic updates feature of Windows (or who don’t wish to wait around for it to install the patch) can do so by visiting Windows Update.

117 thoughts on “Microsoft Issues Fix for IE Zero-Day, Includes XP Users

  1. tcement

    Usual quality MS work.

    Just applied IE8 patch to one of my XP systems and rebooted. Except boot never finished. And I could not invoke Task Manager. Of shut system down. However, the cursor did move.

    Rebooted cold and managed to get into system restore before whatever MS has done had taken hold. Restored to yesterday’s checkpoint and all systems go.

    Thanks, Microsoft.

    1. Likes2LOL


      I’ve seen too many of these Microsoft Updates cause problems — see the comment by “Ruth” in this thread and my earlier alert to Windows 7 users about the deficiencies of yesterday’s patch. (Way back when they broke the ability to write to floppies with a flawed fastfat.sys driver in the Windows 2000 “Update Rollup”, I learned they make a LOT of mistakes with their patches.)

      I always wait at least 3 days after a patch is released before updating, to let the rest of the world be the beta testers and work out the kinks; evidently, Microsoft doesn’t employ enough in-house QA testers anymore. Besides, I only use Internet Explorer for doing Windows Updates, so what’s the rush? πŸ˜‰

  2. Francis Underwood

    Well, we just updated all of Capitol Hill House of Representatives and Congress’ Windows XP clients and applied the last IE8 security patch. Looks like they’ll all be able to safely get back to work now, β€˜that is if what they call work is what the rest of the country considers work to be.’

    I love that Windows XP and IE8. I love them more than sharks love blood.

  3. wendy

    So what about Windows 8? Is there any worry here?
    What should I do to ensure my system safety?

    Thanks in advance….

  4. C/OD

    I just read another security breach story on Yahoo and it completely disappeared before I could copy it. Microsoft and Facebook have known and have stated they cannot fix it and what ever ;”IT” is they say it cannot be fixed and all are subject to it’s thorough attack from hackers.

      1. SES21

        Brian, is that one also known as “triple handshake” or is that a different one? Thanks…

  5. C?OD

    Brian . This is the one , covert redirect. thank you.

  6. Ruth

    Hi Brian,
    The update completely messed up my computer (Windows 7). I’ve spent the last 8 hours restoring it to a usable state. The restore point just prior to the update didn’t work. I had to go back to May 19. Has anyone else had this problem? I’m not sure what to do next. Do I install the patch and hope for the best, or live without it? Any help would be appreciated.

    1. BrianKrebs Post author


      I would start by installing any other available security updates first — if there are any. If so, take care of those, reboot. Back up your important documents, photos, etc. Then try the update again, and see if that works.

      Someone in an earlier comment pointed out that Microsoft released the following guidance for this patch;

      Known issues with this security update

      Internet Explorer will crash if you try to install this security update on a Windows 7-based system that does not already have security update 2929437 installed. To avoid this issue, take either of the following actions:

      * Install security update 2929437, and then install security update 2964358. For more information about security update 2929437, click the following article number to view the article in the Microsoft Knowledge Base:
      Description of the security update for Internet Explorer 11 on Windows 7 and Windows Server 2008 R2: April 8, 2014

      * Install security update 2964444 instead of security update 2964358. Security update 2964444 is intended for systems that do not have security update 2929437 installed.

      Clear as mud?

      1. Dean Hanna

        About not installing update 2964358 if you don’t have update 2929437 already installed on a machine with windows 7.
        Question : is this rule for all versions of IE or just for users with IE 11? Can you use the update 2964358 with out prior installation of 2929437 on say a windows 7 machine running IE 9. Microsoft has been no help to me and I support many machines and need answers. I hope to hear something while I still have hair left!!!

        1. Likes2LOL

          Hi Dean,

          Since nobody’s responded to you in a day, may I suggest trying these web sites:

          Fix Windows Update Error messages and other Windows Update issues

          Windows – Microsoft Community

          and especially:

          Security Update 2964358 very confusing…. – Microsoft Community

          I was the person who originally pointed out the 2929437 / 2964358 SNAFU in the earlier comment, but I only use XP with IE8, now only XP with Chrome and Firefox, so I can’t answer your question. Good luck! πŸ˜‰

          1. Dean


            Thank You very much, your information was a big help.


    2. Tool

      Please help us. What is the world like on May 19? Do you have a time machine?

  7. chasm22

    This is a little embarrassing to ask, but can anyone who’s running Chrome tell me if flash is updated even if you have your plugins disabled(not click to play, but disabled)? Thanks.

    1. coakl

      You can check it yourself, by comparing the Flash version numbers on the newest security bulletin for Flash, with the version number in Chrome (type chrome:plugins in the address bar to open the Plug-ins page.)

  8. chasm22

    If anyone can possible follow what I’ve been talking about here is the very latest visit to Windows Update. This has nothing to do with flash, but to me shows that there is something happening to anyone like me who visits Windows update regularly. BTW, you do get daily notices of important updates available, so it’s not like you have to look hard. You’re encouraged to do daily updates to the Windows Defender definition files. So here goes. First attempt is with(obviously not pertinent) flash player disabled, ActiveX filtering on, enhanced protected mode,etc. Second attempt made immediately afterwards. Look closely, you’ll notice the definitions are different. I’m only wondering why MS would be doing this and what exactly does anyone think they’re doing?

    1. Definition Update for Windows Defender – KB2267602 (Definition 1.173.1123.0)

    Installation date: β€Ž5/β€Ž2/β€Ž2014 4:36 PM

    Installation status: Succeeded

    Update type: Important

    2. Definition Update for Windows Defender – KB2267602 (Definition 1.173.1156.0)

    Installation date: β€Ž5/β€Ž2/β€Ž2014 4:38 PM

    Installation status: Succeeded

    Update type: Important

    Again, I’m not sure which exact box I’m checking to cause the difference, but it seems to me there is a difference. Two different definition files two minutes apart. Really guys, I’m a moron as to why this might be. My only guess is that MS is handing out definitions according to how you have IE setup since all the changes occur there or at least you make the changes under IE settings. Any guesses? Might it be because of one way your running 64 bit processes under ‘enhanced protection mode’ and under the other way you not?

    Sorry to be a nuisance on this, just trying to figure out what is best.

    1. JCitizen

      No two Defender updates will ever have the same KB number – never has. I should think this is reasonable as the definitions are never the same as per update as well.

      1. JCitizen

        I meant file sizes there, not the actual KB number itself – sorry for the confusion! :p

        Mine have always been KB915597 and have never changed – only the file sizes fluctuate.

    2. JCitizen

      I suspect since it was the same release date the KB numbers are the same, but the file sizes indicate a continuation for the same update. I imagine there is more than one location setting up these definitions, and no two updates have the same information in them even if they are the same KB number.

  9. Algeranon

    Serious ‘new’ vulnerabilities. Not sure if this site has addressed them yet:

    “vulnerability in OAuth and OpenID protocols. Be cautious, said the reports, of links that ask you to log in through well known sites such as Facebook and Google. The OAuth 2.0 and OpenID login tools are “used by many websites and tech titans” including Google, Facebook, and Microsoft, among others”

    1. goldi

      Isn’t this the Heartbleed issue? It was big news a few weeks ago then fell off the radar.

      1. timeless

        No. That’s an interoperability / implementation issue for sites for support Federation for login. For SSL/TLS, there are only a handful of implementations (NSS – formerly Netscape/Sun Microsystems, Microsoft, Apple, and OpenSSL).

        I’m not sure how many Federation implementations there are, it’s possible that many individual sites have their own individual hand-written implementations instead of using libraries.

        My understanding is that the specification clearly indicates the best practice here which would avoid this issue. Which is different than Heartbleed (where one commonly known vendor implementation happened to have what would normally be considered a bounds check error with information disclosure). [Specifications aren’t expected to say “don’t bounds check errors…]

        The Federation issue is more of a failure to implement a recommended piece of the specification, possibly as a shortcut of possibly thinking it would improve the User Experience.

  10. LauraMS

    Since downloading the patch (Ihave W7), Word keeps freezing and crashing. It had no problems before that and today it has been crashing every few minutes, anyone else having similar issues?

  11. WarnU

    I received 2 updates for Windows 8.1 –
    KB2964358 and KB2961887.

    After installation I could no longer access Windows Store.
    It could no longer update apps and would hog the CPU.

    Uninstalling updates did not solve the problems.
    However, restoring the system to just before the updates were applied DID.

    Now I am offered the same updates again and am not sure what to do.
    To install them and maybe run into the same problems or to leave a security hole open.

    Microsoft get your act together!

    1. AL

      I would clean your machine first before installing it again. Run CCleaner then Malwarebytes and make sure it runs good BEFORE installing again.

    2. JG

      after installing update 2964358(only), could not open IE8, cannot open Internet Options and Uaer Accounts.
      after unistalling the update, could do all these again.

      What should I do next? I would liked to be safe from the security threat.

      Should I install any previous update together with 2964358?

      I am running on xp

      1. JCitizen

        Try doing a clean install – run msconfig and disable all startup items, but leave the services alone, and reboot, then try it. Don’t forget to run msconfig again to reset to normal mode, but the system will remind you any way.

  12. kennth lee

    Suppose that a hacker installs some malicious malware in my computer via the Zero-Day Internet Explorer exploit. After I install the Microsoft provided fix, will my computer free of the malware (in my computer) attack?

    1. timeless

      No. That’s like coming home to your farm and fixing the fence after cattle rustlers have taken all your cattle.

  13. Christian

    I am glad they fixed this. XP is still out there and people still using XP and paying to keep support (Like agencies or government facilities from what I hear) and these patches are needed. I am especially glad at how quick Microsoft fixed this bug due to its extreme circumstances.

  14. Moonrabbit

    I just got done going back to a restore point, I think it was May 3rd, it wasn’t very far back anyway. The reason I did so was a minor aggravation but it’s one of my pet peeves – since the update earlier this morning, my list of Recently Used Files in MS Word had been wiped clean. After the system restore, the list is back. Yay!

    I decided to reset my updates from automatic to manual if this kind of nonsense is going to continue.

  15. Jim

    I use Firefox. Windows Update has this patch, but do I need to download it? I haven’t used Internet Explorer for 4 years. I do use other Microsoft programs like Word, however.

  16. Nanci

    Suppose a hacker has complete control over my computer via the Zero-Day Internet Explorer exploit. After I install the Microsoft update (KB2964358), can the SAME hacker be able to access my computer again?

    1. Al

      That depends on what the attacker did. If they compromised your computer and snooped around then left, then no after the update they could not break into it again using the same exploit. However if they broke in and added a different solution that did not use the zero day exploit then yes they could still get in.

  17. Praveen

    In our environment we have installed the latest security patch released for microsoft for IE and many users reported that IE is not opening after the patch update. user is getting a pop up to download a .htm file and save after which nothing happens.

    After the uninstall of the patch IE starts to work again ..

    Any one came across this situation ??

    1. JCitizen

      I don’t know Praveen, but I hope things straighten out now that the chair throwing monkey boy is gone!!

    2. JG

      Yes, after uninstalling the latest security update 2964358(only), IE8 starts running again on my xp system.

      But still concerned about this security threat bec need to surfing on the net; maybe it’s bec I didn’t download the last cummulative update together with this latest one?

  18. themeforest

    The other day, while I was at work, my cousin stole my iPad and tested to see if it can survive
    a 30 foot drop, just so she can be a youtube sensation. My apple ipad is now destroyed and she
    has 83 views. I know this is entirely off topic but I had
    to share it with someone!

    1. Likes2LOL


      Your story reminded me of a time years ago when I attended a FOSE trade show in DC and one of the vendors was touting “ruggedized” laptops for military purposes. I asked if it could withstand a 4 foot fall, and the sales guy said, “Um, yes, it should.” In front of other attendees, I asked if I could drop it on the floor right then and there to test that claim. The salesman took a deep breath and very reluctantly said, “Um, OK, go ahead.” So I dropped a running laptop on the floor (on its corner, for full effect), and like a Cameron Swazy (sp?) Timex watch, it survived the fall and came up ticking. I later advised the salesman, “If you want to sell ‘ruggedized’ laptops, it should be YOU dropping this thing on the floor all day long.” Not sure if it would have survived a 30 foot fall, though. πŸ˜‰

      P.S. Sounds like your cousin is trying to replicate the artistry of YouTube phenom dOvetastic:

Comments are closed.