Microsoft fixes 19-year-old Windows bug - but what about XP?

Microsoft patches a critical bug that's been laying dormant in Windows for two decades - but is Windows XP still vulnerable?

Barry Collins
13 Nov 2014

Microsoft has patched a critial bug that has been present in every version of Windows since Windows 95.

The bug was discovered by IBM researchers in May and was patched in this week's Patch Tuesday run, but with Windows XP no longer receiving security updates, the critical bug could still exist in what remains the world's second most used version of Windows.

Looking at the original release code of Windows 95, the problem is present

The flaw could allow attackers to run code remotely on affected systems. "The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free," writes researcher Robert Freeman, on the IBM Security Intelligence blog.

Freeman says the flaw has been "sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32)".

"In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years," he adds. "Looking at the original release code of Windows 95, the problem is present."

The only Microsoft security bulletin dealing with an OLE flaw in this month's Patch Tuesday round-up says the patch has been applied to all currently supported versions of Windows, including Server 2003, 2008 and 2012, as well as Vista, Windows 7 and Windows 8.

Windows XP was, of course, not on the list, and Microsoft was unavailable to comment on whether the flaw still existed in that operating system at the time of publication. Organisations who have bought extended support for XP from Microsoft may well be covered, but millions of consumer PCs may now lie unprotected.

Spreading malware?

IBM's Freeman says there are many different ways in which attackers may be able to exploit the bug. "Typically, attackers use remote code execution to install malware, which may have any number of malicious actions, such as keylogging, screen-grabbing and remote access," he writes.

However, he concedes that IBM "hasn’t found any evidence of exploitation of this particular bug," before adding that "it is a only matter of time before we see them in the wild".

Freeman says the exploit would have commanded a six-figure sum if it had been sold before being patched. The bug has been rated 9.3 out of 10 on the Common Vulnerability Scoring System (CVSS).

Read more about: