Microsoft has patched a Windows exploit that had existed for 19 years

On Tuesday, Microsoft issued a large number of security updates for its currently-supported versions of Windows. As it turns out, one of those patches was designed to fix an exploit that had existed in every version of the operating system for 19 years, or since Windows 95.

The flaw was first discovered by IBM in May and it shared that information privately with Microsoft. IBM stated:

"This complex vulnerability is a rare, "unicorn-like" bug found in code that IE relies on but doesn't necessarily belong to. The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user's machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free."

IBM said this flaw has allowed every version of Windows to be remotely exploited since the release of Internet Explorer 3.0 in 1996. So far, there's no evidence that hackers have found and have been using this security hole for attacks. However, the BBC quotes Gavin Millard, from Tenable Network Security, as saying:

"Whilst no proof-of-concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won't be long until one does, which could be disastrous for any admin that hasn't updated."

Perhaps the biggest concern is for all those PCs that are still running Windows XP, which Microsoft no longer supports or updates with security patches. The latest statistics for October by Net Applications showed that the 13-year-old Windows XP is still being used by 17.18 percent of PCs worldwide.

How concerned are you about this 19-year-old Windows flaw being used by hackers on PCs?

Source: BBC; IBM

107 Comments

If you still have XP then your deserve to get hacked!!!! Ok I'm just joking, but just saying...update already!
Agreed. Businesses need to update. They could be so much more efficient on newer software.
Sometimes software they rely on isn't available on neweer OS's, and doesn't have a equivilent. My dad does powerpoints for his church and hasn't found a replacement for what he uses for the animated backgrounds, so he dual boots with 7.
Virtualize that shit.
All hail VMs !!!! I hear that, VM XP boxes....
Worst excuse. And also... Bollocks. :P
Have they looked into something like ProPresenter? Animated backgrounds and a lot more flexibility than what PPT (especially older versions of PPT) offers.
Microsoft Sway.
animating background? why didn't your dad use EasyWorship then, and use video backgrounds? Honestly, my church had been using Windows 8.1 and EW2009 for it.
I recently discovered VideoPsalm and have it installed on my W8.1 laptop. It has a feature for video/motion backgrounds and it's missionware (freeware).
They're waiting on Windows 10
You can't always update. I work in broadcast television and we have so many XP boxes running because ALOT of vendors still recommend XP as the goto OS for their pieces.
Switch vendors. Posted via the Windows Central App for Android
Impossible. Millions of dollars worth of equipment is part of our infrastructure. Enterprise stuff really is a different beast. In etnerprise there isn't alot of competition on specialised software solutions like there is in the consumer space. But in my industry you can't virtualise these pieces that are connected to hundreds of thousands of dollars worth of hardware. I was at Ford Canada looking at cars - they were running a dos like gui inside of an xp virtual machine running inside of Windows 7. It was like a bunch of Russian dolls.
Shame about all those cash machines that still haven't been upgraded!
It's not just cash machines.. Most of the POS self checkouts in the major supermarkets in UK are still on XP Embedded, I assume the regular checkouts are the same... Just no excuse for it, its not like they didn't know XP EOL date years beforehand. They must have spent their IT budget on bonuses and salary increases for senior management instead.
But XP Embedded is still supported (unitl 2019 AFAIK)! So no problem there...
And, it's pretty easy to fool real XP into thinking it's the embedded edition, at least where updates are concerned.
Yeah you're right, forgot about extended embedded. Still, its far less secure than Windows 8 and as they are handling our card details on these systems, they should be ahead of the curve, not the last holdouts of a vintage operating system.
If these POS/ATMs are off the internet (maybe a different subnet that does not have access to the internet), Then there is very little worry or securty problems (for external hackers). Most of these exploits come from hackers over the internet. Yea, if there on the internet, they need to be replaced but, off, I bet they could live for years with out problems...if not longer
>They must have spent their IT budget on bonuses and salary increases for senior management instead. Do you even realise how childish that sounds?
My school just update to Windows 7 from XP a few months ago... Sheesh
then that's good, why not?
Very concerned considering it could permit drive by infections on every version of Windows since W95 and IE3.0. Yikes!
Ha..then what about XP?
Read maybe?
Because yolo lol
Its never too late to fix things. You can always make things right. *sad background music*
Are you Scrubsing? Because that music is now playing in my head.
They haven't patched yet the disaster called Windows 8. :P
Haha...
Win 10? Win 8.1?
Win 8 is good!
no its not . I'm not moving till window 10
Because they don't need to.
Stupid comment is stupid
I don't understand the hate for windows 8 yes its different but once u learn it its way faster and more productive
@kingkoopa09 - Hear hear.
I get it, that the non-tech masses just believe the media hype "oh, Windows 8 is scary and bad", but I think it's odd that anyone who reads these forums believes that?
They didnt deliver a Patch for your brain. :\
You're a funny fella aren't you?
Windows 8 is fast n awesome ! Use it, learn it then talk..!
True that :)
Its a TLS bug that's affected every implementation going. OSX, Linux and now Windows.
Well handled by IBM and Microsoft for keeping it on the down low.
Yes MS, we still use XP and we love it! But we don't use Internet Explorer.. So why upgrade?
We? Lol...
Yes. Him and the other 5 geriatrics.
Why?!? Seriously wtf, you're loving it?? *mind blown*
Because IE is PART of the OS. Even if you don't use it, it's still there, and you're still vulnerable. Seriously, if you hate being up to date and/or running modern software, you should probably consider ditching your PC altogether.
Wow, it took six comments for the anti-IE crowd to post. You people are slipping.
Or IE is improved so much, they got caught off guard with this story...
17% must be something in excess of 200 million computers currently running XP. I have 3. They do the job and are paid for.
This can happen only with MS....
:-P
Well, that's blatantly untrue. But ok nice try.
Thank you iyae. As for you Meg(shhhh!)
So.. Does IBM just employ people to hack Windows for the government or something? Just curious how you'd find something like this.mm
There are people who test the software they are using :)
Just updated.
This one goes to all the people out there who find updates annoying and go out of their way to disable or postpone updates. Cheers and enjoy the show.
They just want to make the remaining 17.18 % of people finally switch to Windows 8.1 ;-)
Yeah I agree
I see this release as a way to 'force' people to update. They could've just fixed it and kept quiet and it who know how long before anyone would find it. Can't blame them too much though. They are in business to make money afterall.
I always wondered why companies even advertise this kind of stuff. Just do it and don't say anything about it, which leads me to this quote from a quote in the article: "due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won't be long until one does" Wouldn't MIcrosoft being tight-lipped on the details make it less likely someone will take advantage of it? That's a weird quote. Nevertheless, they should've been 'no-lipped' on it, not 'tight-lipped'.
I guess thats one division of ms that leaks rarely happen
First Apple's security flaws, now this. The hackers must be busy lol.
What no update for Windows95 :D
Or 98? D:
Windows 3.1 why no update? I want notification center and Cortana integration on my Windows 3.1 machine pls.
Or ME? :'(
Microsoft growing up now? LOL
Whatever
Better late than never? ;)
It is not a big bug but I agree that it like a nuclear bomb which is small but big
I don't care. If somebody gets hold of my pc remotely all they would get is may be some porn.
And your passwords and banking details...yeah no biggie. ID theft....aint nuttin but a thang! /s
Windows can resolve on a few test if system can Identify how it bypasses the intersecurity
Finally, xp will die, and older versions of internet explorer with it. This is a relief for web developers.
On the other hand this is one of the great things of proprietary software, once you deliver a patch not everyone has to know how the exploit is made, I still feel sorry for all those Drupal sites that got hacked hours after the patch for a huge vulnerability was exposed.
I think they purposely release this information to get all XP machine upgrade to a newer version of Windows.
Very, alot of business are still using xp and I imagine some are stuck in limbo given that windows 10 is set for release spring / summer 2015. Which is just a few months away.
I don't know if this is still true, but I think Bank of America still use Windows 2000 NT to this day and been stuborn in upgrading their servers and OS
I know my insurance company still uses windows 2000 NT. I brought that up with my agent the last time I was in his office.
Problem with big companies has always been money. They invest so much on network technology and creating their own software, they find it better not to spend more with what's work for them, until a security flaw is found to force them to spend. Just how Home Depot had found it the hard way keeping the old security files and OS from being hacked. They never want to spend anything
I read the title and immediately thought, "Anyone still on XP is totally screwed." Looks like the author and other commenters agree with me.
So this vulnerability has been there for 19 years? This means ALL iterations from 95 till 8.1 !!! I refuse to beleive that they simply forgot about it, it was most certainly a backdoor for the intelligence community and whatnot. Now they advanced to a more modern backdoor and closed the old one, especially since they had no choice cause it was discovered by a third party. After 6 months they built a new backdoor and closed the old one. Well done, Microsoft, well done!
It doesn't work like that. They didn't "forget" about it; it's only recently been uncovered. That's what happens in software development -- bugs can remain undiscovered for weeks, months, years, or may even never be uncovered. Why do you think developers continue to release bug fixes so long after their applications are released?
Oh I see, I misread your post. A conspiracy theory. OK.
Well why do you even think like that ... they are providing you an ultimate tool ... and i dont think that they will do such a thing ...
Someone's been watching too much Fox News.
a bug older than many of the script kiddies themselves, classic!
well seems to me that its just an act to make the business world using windows XP to switch to atleast windows 7 ... may be its a plot... :D
Just updated tech preview and my windows 8 computer yesterday. Really, if you are still running XP you should stop being a moron. If you can't afford windows 7/8.1 to upgrade to, then either A) upgrade to tech preview if your computer has the chops to run it, or B) install a user friendly, free Linux distro like Linux Mint 17 or Elementary OS. There are other distros as well, they are all pretty good. In either case you should be wiping XP from your drive.
BSD : Why do people keep forgetting me? :'(
BSD is better than Linux in my opinion
Perhaps because its the same thing? UNIX is UNIX is UNIX. With a few exceptions, the command line and command line instructions are virtually the same no matter what version of Linux you run. Really it just comes down to personal preference and how much eye candy you want between the distros. I suggest trying several so you can find one you like
Updated
:)
Posted via Windows Center App
Finally it got patched. Microsoft is better than Apple in update department.
Makes IE...faster.
Well Linux fans will have alot to say about this.
Patched all pc's servers are next.
Priorities are backwards?
Guess who's going to be very worried... http://i.imgur.com/louqVBz.jpg P.S.: how do you make images to show here?
Hoooo. Now I can sleep better.
That's how NSA have been spying everybody since 1996
Now that IBM has suckhacked all the information they needed from everyone they're going to tell us about the exploit they've been using for 20 years Haha
I don't care. I'm Linux user who just loves WP platform
Thank you for the well written article John Callaham!
BBC (British Broadcasting Company) must change its Name to HEC (Hallucination Exaggerating Crazedom). They imagine that all people around the globe are super hackers, their channel is seen by 3 billion people daily, and what they imagine is the fact that others don't understand! Their staff remind me CIA staffs in 9/11 which reported the news about fallen towers are fake! when their agents witnessed the mess, shamelessly announced that we tracked them from the airport but our reaction was not early enough to prevent the terrorists from doing the action! There is a hidden bug that nobody noticed since 19 years ago. It's usual in even building constructions. The question is how fruitful is this bug for hackers? what is the income from entering in this way? The answer is Not easy to find and not worth to use, otherwise IBM was the first to abuse this bug against amny companies.

Show more comments

Windows Central Newsletter