Microsoft fixes '19-year-old' bug with emergency patch

Osaban · Nov 13, 2014

http://www.bbc.com/news/technology-30019976

Microsoft has patched a critical bug in its software that had existed for 19 years.

IBM researchers discovered the flaw, which affects Windows and Office products, in May this year - but worked with Microsoft to fix the problem before going public.

The bug had been present in every version of Windows since 95, IBM said.

Attackers could exploit the bug to remotely control a PC, and so users are being urged to download updates.
Click to expand...

Veeshush · Nov 13, 2014

Always makes you think about how many other ones aren't known about yet.

SweX · Nov 13, 2014

"Attackers could exploit the bug to remotely control a PC, and so users are being urged to download updates."
So no bad guy has taken advantage of this during the 19 years

"but worked with Microsoft to fix the problem before going public."
Good, other "researchers" should do the same.

Osaban · Nov 13, 2014

I presume that XP won't be patched, even though the bug has been there for 19 years....

DR_LaRRY_PEpPeR · Nov 13, 2014

XP is already fixed, same time as the others, like it will be for the next 5 years.

ronjor · Nov 13, 2014

Superbugs: 10 software bugs that took way too long to meet their maker

By Phil Johnson, ITworld | November 13, 2014

Here we present 10 examples of software bugs that were particularly long-lived - not all of which have yet been fixed.
Click to expand...

http://www.itworld.com/article/2846...at-took-way-too-long-to-meet-their-maker.html

MrBrian · Nov 14, 2014

Public exploit available.

MrBrian · Nov 14, 2014

A Killer Combo: Critical Vulnerability and ‘Godmode’ Exploitation on CVE-2014-6332

CloneRanger · Nov 14, 2014

Solutions and Recommendations

From MrBrians's link

We highly recommend users to implement the following best practices:

1. Install Microsoft patches immediately. Using any other browser aside from Internet Explorer before patching may also mitigate the risks.
2. We advise users also to employ newer versions of Windows platforms that are supported by Microsoft.
Click to expand...

My solution

Install a Script intercepter/blocker such as ScriptDefender http://www.analogx.com which works fine on, for eg my XP/SP2. Try it on your OS

Rmus · Nov 14, 2014

MrBrian said: ↑

A Killer Combo: Critical Vulnerability and ‘Godmode’ Exploitation on CVE-2014-6332
Click to expand...

From the article:

About the CVE-2014-6332 Vulnerability

The bug is caused by improper handling resizing an array in the Internet Explorer VBScript engine. VBScript is the default scripting language in ASP (Active Server Pages). Other browsers like Google Chrome do not support VBScript, but Internet Explorer still supports it via a legacy engine to ensure backward compatibility.
Click to expand...

Microsoft Security Bulletin MS14-064 - Critical
https://technet.microsoft.com/en-us/library/security/ms14-064

The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Click to expand...

It appears that if you don't use Internet Explorer, this exploit on a web page won't run.

----
rich

Log in or Sign up

Microsoft fixes '19-year-old' bug with emergency patch

Osaban Registered Member

Veeshush Registered Member

SweX Registered Member

Osaban Registered Member

DR_LaRRY_PEpPeR Registered Member

ronjor Global Moderator

MrBrian Registered Member

MrBrian Registered Member

CloneRanger Registered Member

Rmus Exploit Analyst

Log in or Sign up

Microsoft fixes '19-year-old' bug with emergency patch

Osaban Registered Member

Veeshush Registered Member

SweX Registered Member

Osaban Registered Member

DR_LaRRY_PEpPeR Registered Member

ronjor Global Moderator

MrBrian Registered Member

MrBrian Registered Member

CloneRanger Registered Member

Rmus Exploit Analyst

Useful Searches