Microsoft today announced it is releasing an emergency patch for Internet Explorer to fix a zero-day flaw spotted in the wild. The security hole was found in IE6 through IE11, and the company says its update “is fully tested and ready for release for all affected versions of the browser.”

While this normally means all supported versions, this time is different. Microsoft is issuing a security update for Windows XP users as well, despite the fact that Windows XP is no longer supported by the company.

Here is Microsoft’s reasoning for the decision:

Even though Windows XP is no longer supported by Microsoft and is past the time we normally provide security updates, we’ve decided to provide an update for all versions of Windows XP (including embedded), today. We made this exception based on the proximity to the end of support for Windows XP. The reality is there have been a very small number of attacks based on this particular vulnerability and concerns were, frankly, overblown. Unfortunately this is a sign of the times and this is not to say we don’t take these reports seriously. We absolutely do.

This is a poor move on Microsoft’s part. Just because the flaw was discovered soon after support ended, doesn’t mean the company should backtrack on its stance. The company be encouraging users off the ancient OS, which still has over 26 percent market share, not giving them a reason to stay on it.

Microsoft goes on to say that “just because this update is out now doesn’t mean you should stop thinking about getting off Windows XP and moving to a newer version of Windows and the latest version of Internet Explorer.” Unfortunately, actions speak louder than words.

Regardless of what version of IE you have on your system, you should update. Most Windows users have Automatic Update enabled, and will get the patch from there. If you prefer manual updates, this is not one that you should put off.

On the first Thursday of every month, Microsoft reveals what security patches it will be releasing on the second Tuesday of the given month. Yet today’s release is an “out-of-band” fix, meaning the flaw is severe enough that the company isn’t comfortable waiting any longer to address the vulnerability.

The original Security Advisory, issued on April 26, notes that FireEye first found the security hole. The security firm says at the time that the exploit was targeting IE9 through IE11, but the weakness is also present in all earlier versions as far back as IE6.

Top Image Credit: Miguel Saavedra