If you're nostalgic for the good old days of Windows 95, a time when Microsoft could do no wrong and ruled the personal computing market with an iron fist, well this one's for you. Hidden among this week's Patch Tuesday fixes is a fix for a vulnerability that dates back to Windows 95 and is present in every version of Windows made since.
Yes. Microsoft just fixed a 19-year-old Windows bug, one that security researchers say has been remotely exploitable for 18 of those years. And while one might see some humor in that, the bad news is that it's actually a pretty serious problem as well.
"This complex vulnerability is a rare, 'unicorn-like' bug found in code that Internet Explorer relies on but doesn't necessarily belong to," IBM X-Force Research manager Robert Freeman writes in the official description of the episode. "The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user's machine, even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free."
To put that last bit in perspective, the first version of Internet Explorer debuted alongside Windows 95 over 19 years ago, and the bug being described here thwarts security controls in that software's 11 version, which first appeared in October 2013. And EMET, currently in its fifth generation, dates back to the days of Windows XP.
Looking for meaning in such long-lived bug, Mr. Freeman suggests that it may be time for further code review since attackers will no doubt begin exploiting this bug, which impacts literally billions of PCs around the world.
"There may be other bugs still to be discovered that relate more to arbitrary data manipulation than more conventional vulnerabilities such as buffer overflows and use-after-free issues," he notes. "These data manipulation vulnerabilities could lead to substantial exploitation scenarios from the manipulation of data values to remote code execution. In fact, there may be multiple exploitation techniques that lead to possible remote code execution, as is the case with this particular bug. Typically, attackers use remote code execution to install malware, which may have any number of malicious actions, such as keylogging, screen-grabbing and remote access."
IBM alerted Microsoft to the vulnerability in May, it says, and the software giant fixed it in this past week's Patch Tuesday drop. You can see the fix in security bulletin MS14-064, which has of course been rated as critical.
According to Microsoft, the bug resides in the Windows Object Linking and Embedding (OLE) technologies that debuted in the 1990s as a way for applications to share information with each other.
"This vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," the bulletin explains. "An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."
What this means, of course, is that Windows 10—due 20 years after Windows 95—will be the first version of Windows since then that doesn't include this bug. That said, the Windows Technical Preview and Windows Server Technical Preview are affected as well. So as of today, anyone running a supported version of Windows will want to install this fix through Windows Update.