Microsoft patches 19-year-old Windows bug

The flaw -- uncovered by IBM researchers in May and patched by Microsoft on Tuesday -- affected every version of Microsoft's desktop OS since Windows 95.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
Lance Whitney
3 min read

If only the Windows bug had been this obvious... CSIRO

Microsoft has patched a bug that went undetected for 19 years.

The security hole was discovered in May by IBM researchers, who then teamed up with Microsoft to fix it before publicly releasing its existence, BBC News reported Wednesday. The Windows bug, dubbed WinShock, could be used to remotely run code on a computer if the user views a malicious webpage via Internet Explorer. Once a machine would be infected, the attacker could control it remotely.

The flaw affected every version of Microsoft's desktop OS since Windows 95.

Revelation of a 19-year-old bug that needed to be squashed shows that major flaws in software can stay hidden for years. This reveals basic vulnerabilities in PC technology. For one, it's up to users to apply patches to keep their machines secure. Yet security-conscious users can still be at risk for malware infections if a particular bug goes unnoticed and unpatched by the powers-that-be.

"In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library," IBM researcher Robert Freeman said in a blog post Tuesday.

Freeman is part of the IBM X-Force Research team that discovered the bug. Freeman's team rated the bug with a CVSS (Common Vulnerability Scoring System) score of 9.3 out of 10, indicating extreme severity. Though the bug has existed for years, IBM hasn't detected any exploitation of it in the wild, meaning no machines have been detected as having been infected as a result.

"IBM X-Force has had product coverage with its network intrusion prevention system (IPS) since reporting this vulnerability back in May 2014, though X-Force hasn't found any evidence of exploitation of this particular bug in the wild," Freeman said. "I have no doubt that it would have fetched six figures on the gray market."

In Microsoft's FAQ on this vulnerability, the company explained how the bug could affect a user's system:

An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to the attacker's website, or by getting them to open an attachment sent through email.

As the bug itself relies on Internet Explore to spread, Microsoft said that the systems most at risk are those where "Internet Explorer is used frequently, such as workstations or terminal servers."

Microsoft has fixed this specific bug along with several others in its latest Patch Tuesday update earlier this week. For users with Automatic Updates enabled, the patches will install on its own. Those with Automatic Updates disabled should manually install the latest patches to ensure that their PCs are protected. The need to apply the patch is more critical now that the vulnerability has become public because hackers can exploit it to infect unprotected systems.