19 Nov 2014

19 year old bug ‘Exploit’ fixed by Microsoft

This week Microsoft patched a critical bug that has been present in every version of Windows since Windows 95. The bug, known as Exploit, was discovered in May by IBM researchers, and would have attracted over a million dollars on the black market had it been discovered by the wrong people.

The bug was fixed in the normal Tuesday patch run – but with Windows XP not receiving security updates, the bug could still exist in a still very popular operating system, particularly for businesses.

Unabated, the bug could allow attackers to run code remotely on affected systems.  “The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free,” writes researcher Robert Freeman, on the IBM Security Intelligence blog.

Microsoft has announced that the patch has been applied to all currently supported versions of Windows, including Server 2003, 2008 and 2012, as well as Vista, Windows 7 and Windows 8. Windows XP was excluded from the list, which means that millions of PCs around the world remain vulnerable to this bug.