Microsoft fixed a series of issues that were impacting a number of Windows-based operating systems, dating all the way back to Windows 95. Many were skeptical of how an issue that actually was dated back 19 years, could never have been corrected with all of the rigorous testing and tampering the systems, and programs go through.
On Tuesday though, Microsoft urged their users to download and install the patches as quickly as possible, regardless of the operating system they were running. In addition to noting that all systems were vulnerable, the company also noted that two more fixes that are categorized as “critical” will be rolling out in the near-future as well.
According to the security bulletin MS14-066, the eldest and most critical of the issues had existed for 19 years. The bug was exploitable for the last 18 years, but IBM – who researched the matter – noted that there were no real-time applications of the bug, where information was being exploited. IBM X-Force Research manager Robert Freeman noted, “The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine – even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free.”
He and the team categorized these types of issues within the system, even on the oldest of operating systems, as “data manipulation vulnerabilities,” which “could lead to substantial exploitation.”
IBM noted that some of the more potential ways hackers could take advantage of a computer that was impacted by this type of bug would be things like “keylogging, screen-grabbing and remote access.”
While the origin of the bug remains somewhat unclear the IBM X-Force Research team noted that it was their belief that “the bug had originated with the introduction of IE 3.0 and the subsequent inclusion of Visual Basic Script in the browser.” The inclusion of VBScript is what they cite as the primary cause for concern, as it creates a vulnerable browser, which is primed for an attacker to utilize.
The team though, in addition to Microsoft, were quick to note repeatedly that it was likely additional bug fixes would be rolling out in the near-future, as there were a few other “data manipulation vulnerabilities” present that the company would like to solve.