Microsoft Just Patched a 19-Year-Old Windows Security Flaw

Windows 95 310x

IBM discovered a bug dating back to the earliest days of Windows 95.

How’s this for a throwback? Microsoft, with help from IBM, just patched a Windows security vulnerability that dates back 19 years.

The security flaw, officially called CVE-2014-6332 but now nicknamed WinShock, is a “significant data vulnerability,” that is present in every version of Windows going back to Windows 95. That means virtually every Windows machine you have used spanning three decades is vulnerable to this flaw. Even worse, the flaw could be exploited remotely through any version of Internet Explorer dating back to IE 3.0.

WinShock is a classic vulnerability, and not just in age, as it’s a classic remote code run flaw. If a user running IE 3.0 or later visited the right ne’er-do-well webpage, malicious code could be remotely run on the machine.

The flaw was discovered by members of an IBM research team back in May. They reported the flaw to Microsoft (both companies kept it a secret until the fix was pushed out), which issued a fix earlier this month. The same team rated the flaw a 9.3/10 using the Common Vulnerability Scoring System (CVSS), classifying the flaw as Extreme.

“…significant vulnerabilities can go undetected for some time,” said IBM X-Force Research Team Manager Robert Freeman. “The buggy code is at least 19 years old and has been remotely exploitable for the past 18 years. Looking at the original release code of Windows 95, the problem is present…this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library.”

You can read IBM’s full report on the exploit here.

Source: Microsoft TechNet | IBM Security Intelligence

About the author