Microsoft fixes 19-year-old bug that allowed someone to remotely control PC

13 Nov 2014

Windows 95 launch memorabilia. Image via Marcin Wichary/Imgur

A 19-year-old bug in Microsoft’s Windows operating system has been fixed after researchers from IBM discovered it could allow a PC to be controlled remotely.

Known as CVE-2014-6332, the bug was included in Microsoft’s list of patches that have been released, and followed standard procedure by not making the public aware of the issue until after it had been fixed.

IBM’s X-Force Research team discovered the bug, the vulnerability described as a ‘unicorn-like’ rarity allows the bug access through Internet Explorer 3.0. Once a malicious piece of code had been placed in a system, it would eventually see the system being completely taken over.

The bug has existed on every version of Windows since Windows 95 and was completely immune to the efforts of Microsoft’s Enhanced Protected Mode sandbox introduced in Internet Explorer 11 and its Enhanced Mitigation Experience Toolkit, which was rated considerably high in terms of security.

Worryingly for Windows users, the IBM team feels the length of time this bug has been ‘hiding in plain sight’ could indicate there are other bugs existent in the operating system.

The most likely concerns that these potential bugs could raise include the ability to conduct arbitrary data manipulation, manipulate buffer overflows and issues relating to use-after-free software.

While a patch for the vulnerability has been issued for Windows Vista and above, the significant number of Windows XP users will still remain affected as Microsoft stopped officially giving support to arguably its most popular operating system.

At the last count, Windows XP still exists on 12.9pc of the world’s Windows-operated computers.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com