Microsoft has issued an almost unprecedented warning about a vulnerability in its old operating system, Windows XP, after a flaw was discovered by security researchers at FireEye.
The statement read, “Microsoft is investigating new reports of a vulnerability in a kernel component of Windows XP and Windows Server 2003. We are aware of limited, targeted attacks that attempt to exploit this vulnerability.”
Microsoft also released an emergency patch to close the loophole, despite the fix apparently breaking some of the inbuilt features of the operating system. Microsoft has said that this patch is only a temporary solution, while a more permanent amendment to the system is being sought.
The flaw is known as a “local privilege escalation vulnerability,” and allows an attacker to slowly increase their power over an infected machine until they are able to inject their own code into its running processes, thereby taking control of the machine completely.
The attack is run in conjunction with an already-known exploit that targets the latest versions of Adobe’s Reader software, and also affects the old server operating system Windows Server 2003.
FireEye also issued a warning on its blog, stating “we are collaborating with the Microsoft Security team on research activities.”
Microsoft reassured users of Vista and Window 8, saying, “our investigation of this vulnerability has verified that it does not affect customers who are using operating systems newer than Windows XP and Windows Server 2003.”
Microsoft has also claimed that the vulnerability could not be exploited by a remote attacker. “An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users,” the company said, although the urgency with which they released the patch could belie that assurance.
The announcement comes just one month after Microsoft urged customers to upgrade to Windows 8.1 from XP by highlighting security concerns with the old operating system. So that might have something to do with it, too.