Microsoft Sends Out Security Patches For ‘Unsupported’ Windows 7 And All Older Versions Of Internet Explorer

Microsoft Windows 7 and Internet Explorer may have officially exited the free support window, but the platforms continue to receive patches for critical security vulnerabilities that keep popping up. The company has just sent out a security patch to protect PCs from an actively exploited JavaScript engine bug. The security flaw can potentially allow a remote attacker to execute arbitrary code in the context of the current user.

Microsoft has sent out an important security patch not just for the Windows 7 Operating System but also for multiple versions of Internet Explorer. While Windows 7 was long replaced by Windows 8 and by Windows 10, IE was replaced by Microsoft Edge. Despite the two platforms being officially out of the purview of free support, Microsoft has routinely been making exceptions and sending out patches to plug security loopholes that can be potentially exploited to take administrative control or remotely execute code.

Microsoft Patches New And Actively Exploited Security Bug In IE On Windows 7 OS:

A newly discovered and actively exploited security bug has been successfully patched by Microsoft. The security vulnerability, officially tagged as CVE-2020-0674 was being exploited in the wild. Microsoft has offered more details about the flaw. The official description of CVE-2020-0674 reads as follows:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.

The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

How Should Windows 7 And Internet Explorer Users Protect Themselves From The Newly Discovered Security Vulnerability?

The newly discovered security flaw in Internet Explorer is surprisingly easy to execute. The exploit can be triggered via any application that can host HTML such as a document or PDF. Although Windows 7 and IE users are most vulnerable, even Windows 8.1 and Windows 10 users are being targeted. In addition to these Windows OS versions, Microsoft is releasing a patch for Windows Server 2008, 2012, and 2019.

It is quite likely that Microsoft may have issued a non-optional security patch update to address the security vulnerability. Moreover, Microsoft has been strongly urging all Windows 7 and Windows 8.1 OS users to upgrade to Windows 10. The company has still allowed the free upgrade to Windows 10 option.

Microsoft has offered security patches for such unsupported platforms in the past. Moreover, the company does offer the Extended Security Update or ESU program. However, it is strongly recommended to upgrade to Windows 10 at the earliest.

Alap Naik Desai
A B.Tech Plastics (UDCT) and a Windows enthusiast. Optimizing the OS, exploring software, searching and deploying solutions to strange and weird issues is Alap's main interest.