Microsoft has patched a Windows exploit that had existed for 19 years

On Tuesday, Microsoft issued a large number of security updates for its currently-supported versions of Windows. As it turns out, one of those patches was designed to fix an exploit that had existed in every version of the operating system for 19 years, or since Windows 95.

The flaw was first discovered by IBM in May and it shared that information privately with Microsoft. IBM stated:

"This complex vulnerability is a rare, "unicorn-like" bug found in code that IE relies on but doesn't necessarily belong to. The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user's machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free."

IBM said this flaw has allowed every version of Windows to be remotely exploited since the release of Internet Explorer 3.0 in 1996. So far, there's no evidence that hackers have found and have been using this security hole for attacks. However, the BBC quotes Gavin Millard, from Tenable Network Security, as saying:

"Whilst no proof-of-concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won't be long until one does, which could be disastrous for any admin that hasn't updated."

Perhaps the biggest concern is for all those PCs that are still running Windows XP, which Microsoft no longer supports or updates with security patches. The latest statistics for October by Net Applications showed that the 13-year-old Windows XP is still being used by 17.18 percent of PCs worldwide.

How concerned are you about this 19-year-old Windows flaw being used by hackers on PCs?

Source: BBC; IBM

CATEGORIES
John Callaham