0-day Internet Explorer vulnerability patch ships today, even for XP

Martin Brinkmann
May 1, 2014
Updated • May 2, 2014
Internet Explorer

Now that is unsuspecting. You may have read about the latest detected 0-day vulnerability in Microsoft's Internet Explorer that is affecting all versions of the browser regardless of operating system.

If not, read this post that explains how you can protect your version of Internet Explorer so that the vulnerability cannot exploited on your system.

Many news sites stated that this would be the first vulnerability that would not be fixed anymore for Windows XP after support of the operating system ended earlier this month.

This is however apparently not the case.

Microsoft announced an out-of-band release to address the vulnerability, and surprisingly included a patch for Windows XP as well.

We have made the decision to issue a security update for Windows XP users. Windows XP is no longer supported by Microsoft, and we continue to encourage customers to migrate to a modern operating system, such as Windows 7 or 8.1. Additionally, customers are encouraged to upgrade to the latest version of Internet Explorer, IE 11.

This means that last patch Tuesday was not the last patch day for Windows XP after all. While this is likely an exception rather than something that Microsoft will continue to do, it is nevertheless interesting that the company decided to release the XP patch.

Considering that XP usage numbers are still high, it is definitely a good move by Microsoft that is appreciated by many Windows XP users and system administrators who manage systems running the OS.

Microsoft will release the patch for all Windows operating systems later today. If you have automatic updates enabled you will receive the update this way. The update is marked as important, and a check right now listed it as one of the available updates already.

Note that Windows' automatic update feature may not check for updates right away. If you use Internet Explorer regularly, it is suggested to check for updates manually instead.

If you do not use Windows Update, download the update for your operating system from Microsoft's Security Bulletin page instead.

Microsoft notes that users should install the latest cumulative update for Internet Explorer before they install the new update as users may notice compatibility issues otherwise.

Internet Explorer 11 users who use Windows 8 need to have the 2919355 update installed prior to installing the newly released update by Microsoft.

Additional information about requirements and the update itself are available on the security bulletin page linked above.

Microsoft releases MS14-021 update to address 0-day vulnerability
Article Name
Microsoft releases MS14-021 update to address 0-day vulnerability
Microsoft has released an out-of-band patch for Internet Explorer to address a recently disclosed 0-day vulnerability.

Previous Post: «
Next Post: «


  1. Hy said on May 4, 2014 at 5:47 am

    Ars Technica weighs in: “Microsoft’s decision to patch Windows XP is a mistake”


    Martin and George, I understand well what you are saying. This situation is an interesting one. I finally, grudgingly, weaned myself off XP last month (and am enjoying some things about Windows 7) and got all of my family and friends off XP as well, because, as we’ve been told for months: there will be no more security patches released for XP after April 8. Expensive new computer purchases were made in several of these cases to accomplish this, stretching already-tight budgets. Then three weeks later, a security patch for XP is released.

    I can relate to the Ars commenter: “I’ve already had two follow-up calls from clients pretty much telling me that they don’t trust my advice anymore, since I’ve been reiterating over and over that Windows XP wouldn’t be receiving any more patches after the April date for the past year. I understand why Microsoft did it, and I agree that in the view of protecting systems online it’s better to have the patch then [sic] not; but from my perspective as a small-time contractual IT, it’s a net loss.”

    The Ars article makes an interesting point that when it comes to Internet Explorer, “virtually every time Microsoft updates one of its remaining supported platforms, the company will also simultaneously be disclosing a zero-day vulnerability for Windows XP.” It will be interesting to see how Microsoft deals with this, especially after this precedent, and how things will play out in the coming months…

  2. George Melendez said on May 3, 2014 at 4:30 pm

    Hi Martin…

    The IE security patch update is for Internet Explorer and not for XP OS… Yes, i understand that in order for the IE security patch to work on XP OS with Internet Explorer that Microsoft has to configure it but it is not a native or genuine XP OS security patch…. hope that i explained myself correctly…. the main idea is to secure IE and not XP OS…… but still XP OS benefits…..

  3. Hy said on May 3, 2014 at 2:46 am

    I see that Forbes has a different take on the whole thing: “Microsoft Saves Windows XP In An Act Of Utter Stupidity”


    FWW–I don’t, as they say, have a dog in this fight…

    1. Martin Brinkmann said on May 3, 2014 at 7:36 am

      I don’t agree with his take on the issue.Releasing a patch for XP after end of support does not mean that Microsoft will have a harder time getting users to upgrade. It just means that systems remain safe for the time being which is a good thing.

  4. 35 said on May 2, 2014 at 5:25 am

    Update KB2919355 is not available for Windows 7.

    1. Martin Brinkmann said on May 2, 2014 at 8:34 am

      Right, I add the information.

  5. Tom said on May 2, 2014 at 3:26 am

    Is there an easy way to check whether you have installed the required prior patch ” Internet Explorer 11 users need to have the 2919355 update installed prior to installing the newly released update by Microsoft” It’s not that easy to pick out one single patch among the hundreds of patches.

    Also, reading up on this patch 2919355 it seems it was previously offered for Win 8. I am running Win 7?

    1. George Melendez said on May 2, 2014 at 3:55 pm

      Just go to Microsoft up-dates and if you don’t have the required 2919355 update installed you will be advised to install it and then you can install the IE security patch… no sweat and simple….

    2. Martin Brinkmann said on May 2, 2014 at 8:33 am

      This is only necessary on W8, I add the information.

  6. steven said on May 2, 2014 at 12:09 am

    “Definitely a smart PR move on their part.” couldn’t agree more..

  7. Jim said on May 1, 2014 at 10:52 pm

    Definitely a smart PR move on their part. To just kick one of their largest customer segments to the curb when there is a vulnerability being actively exploited would have been a very bad idea, especially given the timing. Since the fix is to the browser and the browser is used across multiple Windows versions, I suspect the extra work to deploy it for XP was minimal. In the meme parlance, MS gets a “Good Guy Greg” rather than a “Scumbag Steve”.

    The danger is obvious, they have set an expectation for the future. No doubt they’ll get some grief when they finally do refuse to issue a fix. They’re pretty much in a “no win” situation.

    1. ilev said on May 2, 2014 at 7:03 am

      It has nothing to do with smart PR. It has everything to do with the danger of 400 million Windows XP PCs botnetted and attacking networks and other Windows PCs.

  8. George Melendez said on May 1, 2014 at 10:31 pm

    Good to know about this Microsoft update. I find it strange that it wasn’t installed automatically by Microsoft (Windows). I guess they know what they’re doing. Sometimes i ask myself, do they really know??? Good news for XP users……

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.