Although Microsoft has told Windows XP SP2 users several times this year that it will retire the 2004 operating system on July 13, users may not realise that they will also not receive any IE security updates after that date.
Microsoft confirmed that users running Windows XP SP2 will receive no IE6, IE7 or IE8 patches after July 13. The company said there is no mechanism for offering IE-only patches to people using Windows XP SP2.
"Customers will need to install [Windows] XP SP3 in order to leverage the extended support (which includes security updates), which will run through April 2014," a Microsoft spokeswoman said.
"There is no differentiation for XP SP2 customers running IE."
The practice of linking browser patches to operating systems' support lifecycles is a longstanding Microsoft policy.
However, it means that users still relying on Windows XP SP2 will be at risk for exploits of any IE vulnerability that Microsoft patches after July 13.
According to data from Qualys, about half of all enterprise PCs running Windows XP were still using SP2 as of late last month.
Microsoft fixed six IE flaws June 8 during this month's Patch Tuesday. The next IE fix probably won't appear until August 10, after XP SP2 drops out of support.
Microsoft could deliver an 'out-of-band' patch before July 13 if an IE vulnerability popped up and the company hustled to craft and release a fix. However, there are no open Microsoft-issued IE security advisories.
A bug disclosed last week that can be exploited via IE - or any other browser - is not in IE, but in a Windows help component.
To continue to receive IE security updates, users must upgrade to Windows XP SP3, shift to a newer edition of Windows, or manually download the browser updates from Microsoft's site.
The latter, however, is not supported: Microsoft links IE updates to specific operating systems editions, and there is no guarantee that one labeled for XP SP3 will work with the older service pack.
Microsoft intends to support Windows XP SP3 until mid-April 2014.