With help from IBM, Microsoft has patched a critical Windows vulnerability that flew under the radar for nearly two decades.
The bug has existed in every version of Windows since Windows 95, and would have allowed an attacker to run code remotely when the user visits a malicious website. IBM researcher Robert Freeman described the vulnerability as “rare, ‘unicorn-like’ bug found in code that IE relies on but doesn’t necessarily belong to.”
According to Freeman, the bug relies on a vulnerability in VBScript, which was introduced in Internet Explorer 3.0. Even today, the bug is impervious to Microsoft’s anti-exploitation tools (known as Enhanced Mitigation Experience Toolkit) and the sandboxing features in Internet Explorer 11.
The good news is that there’s no evidence of anyone actually exploiting this vulnerability in the wild, and doing so would be technically tricky. IBM first reported the issue in May, and is only making it public now that a patch is available.
Of course, Microsoft’s latest patch only applies to Windows Vista and higher, as support for Windows XP ended in April. So if you’re running a 13-year-old operating system, you’ll have to grapple with a critical bug that’s even older.
No comments:
Post a Comment