Microsoft on Tuesday issued a critical fix for a 19-year-old software bug that affects all existing Windows versions since Windows 95. IBM researchers discovered the bug this past May, and BBC reports that they “worked with Microsoft to fix the problem before going public.”
The bug can be used to remotely control a PC, therefore Windows users are urged to immediately download new security updates on their machines. The company has issued 14 patches to address the matter, with two more expected to be rolled out in the future.
“This complex vulnerability is a rare, ‘unicorn-like’ bug found in code that IE relies on but doesn’t necessarily belong to,” IBM said in a blog post. “The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free.”
Called WinShock, the vulnerability has received a 9.3 out of 10 score on the Common Vulnerability Scoring System (CVSS), which means it poses a significant threat to existing Windows users. The researchers further added that the bug would have been more than six figures if sold to hackers.
Apparently, hackers have not used this particular vulnerability to attack Windows machines so far, but now that a patch is available, some of them might use the bug to target those computers that aren’t immediately updated.