Microsoft patches 20-year-old Windows security flaw

OLE-based vuln thought to be present in all versions of OS since 1995

Tags: IBM (www.ibm.com)Microsoft CorporationUSA
  • E-Mail
Microsoft patches 20-year-old Windows security flaw
By  Stephen McBride Published  November 13, 2014

Microsoft yesterday patched a two-decades-old security flaw in Windows that allows malicious actors to remotely take control of entire systems, online media reported.

The vulnerability has existed since 1995, in all versions of Redmond's OS. It was reported this week by IBM security researcher, Robert Freeman, and patched by Microsoft yesterday, according to TechRadar.

The hole lies in OleAut32.dll, a code library used for linking files together, such as when a user includes an Excel spreadsheet in a Word document. When Microsoft included VBScript in Internet Explorer, attackers could gain access to systems through malicious websites.

In a security blog, Freeman described the bug as "unicorn-like", because of its rarity and the fact that it had remained undiscovered for so long.

"In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years," he said.

Despite its longevity, Freeman indicated that the vulnerability had yet to be exploited in the wild, but prior to Microsoft's fix, he said it would be a "matter of time" before it was.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code