Microsoft fixes severe 19 year-old Windows bug found in everything since Windows 95
With help from IBM, Microsoft has patched a critical Windows vulnerability that flew under the radar for nearly two decades.
The bug has existed in every version of Windows since Windows 95, and would have allowed an attacker to run code remotely when the user visits a malicious website. IBM researcher Robert Freeman described the vulnerability as “rare, ‘unicorn-like’ bug found in code that IE relies on but doesn’t necessarily belong to.”
According to Freeman, the bug relies on a vulnerability in VBScript, which was introduced in Internet Explorer 3.0. Even today, the bug is impervious to Microsoft’s anti-exploitation tools (known as Enhanced Mitigation Experience Toolkit) and the sandboxing features in Internet Explorer 11.