IBM Researcher Reveals Severe 19-year Old Flaw in All Versions of Windows

According to a report by Robert Freeman, at IBM's Security Intelligence blog, a serious flaw in Windows has existed since Internet Explorer 3.0 was released. And, actually it was the concoction of Windows 95, IE 3.0, and VB Script that produced the severe flaw. So, the vulnerability has existed for 19 years but, been exploitable for 18 years.

The IBM X-Force Research team identified the bug in May of this year, and immediately reported it to Microsoft. The existence of the flaw has been kept under wraps since then while Microsoft prepared a fix, which released this month as part of its regularly scheduled Patch Tuesday updates. The IBM team has rated the vulnerability with a score of 9.3 out of a possible 10 on the Common Vulnerability Scoring System (CVSS) and it exists in every version of Windows since Windows 95.

You might think that Microsoft's latest Enhanced Mitigation Experience Toolkit can help, but according to IBM:

The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free.

So, the only course it to patch, and patch quickly. Now that the vulnerability has been revealed by IBM X-Force Research, it won't be long before active attacks are discovered in the wild.

Freeman goes into full detail about how the exploit works in the blog post:  IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows