Microsoft Patches 19-Year-Old Windows Flaw

IBMEUs X-Force has uncovered a flaw that has gone unpatched for at least 19 years. Big Blue researcher Robert Freeman called it a EUsignificant data manipulation vulnerability that impacts every version of Microsoft Windows from Windows 95 onward.

The good news is Microsoft issued a patch for CVE-2014-6332 on Tuesday. The bad news is hackers have had the ability to exploit it remotely since the days of Internet Explorer 3. Freeman described the complex vulnerability as a EUrare, unicorn-like bugEU thatEUs found in code on which IE relies but to which it doesnEUt necessarily belong.

EUThe bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the userEUs machine -- even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free,EU Freeman said in his report.

WhatEUs the Lesson?

Just because Microsoft patched it doesnEUt mean itEUs not worth exploring. There are lessons to be learned in the wake of any bug that went undetected for the better part of two decades. In some respects, the vulnerability has been EUsitting in plain sightEU for a long time even as many other bugs in the same Windows library were discovered and patch, Freeman said.

But hereEUs the scarier part: This revelation indicates there may be other bugs still to be discovered that relate closer to arbitrary data manipulation than more conventional vulnerabilities such as buffer overflows and use-after-free issues, according to Freeman.

EUThese data manipulation vulnerabilities could lead to substantial exploitation scenarios from the manipulation of data values to remote code execution,EU he explained. EUIn fact, there may be multiple exploitation techniques that lead to possible remote code execution, as is the case with this particular bug. Typically, attackers use...

Comments are closed.