Microsoft fixes '19-year-old' bug with emergency patch By Dave Lee

Technology reporter, BBC News Published duration 12 November 2014

image copyright Thinkstock image caption Microsoft's Schannel protocol is the latest secure standard to be affected by security woes

Microsoft has patched a critical bug in its software that had existed for 19 years.

IBM researchers discovered the flaw, which affects Windows and Office products, in May this year - but worked with Microsoft to fix the problem before going public.

The bug had been present in every version of Windows since 95, IBM said.

Attackers could exploit the bug to remotely control a PC, and so users are being urged to download updates.

In a blog post explaining the vulnerability in depth, IBM researcher Robert Freeman wrote : "The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user's machine."

In computer security, a drive-by attack typically means making users download malicious software.

The bug had been "sitting in plain sight", IBM said.

The vulnerability - dubbed WinShock by some - has been graded as 9.3 out of a possible 10 on the Common Vulnerability Scoring System (CVSS), a measure of severity in computer security.

Six figures

One of the other bugs affects Microsoft's Windows Server platforms - putting the security of websites that handle encrypted data at risk.

Specifically, it relates to Microsoft Secure Channel , known as Schannel, Microsoft's software for implementing secure transfer of data.

Schannel now joins the other major secure standards - Apple SecureTransport , GNUTLS, OpenSSL and NSS - in having a major flaw discovered this year.

image copyright codenomicon image caption The bug has been likened to Heartbleed, a major security issue also affecting secure data transfer

Security experts had compared this latest flaw to other significant problems that had come to light this year such as the Heartbleed bug.

However, they added that while its impact could be just as significant, it might be more difficult for attackers to exploit.

As with Heartbleed, the exploit relates to vulnerabilities in the technology used to transfer data securely - known as SSL (Secure Sockets Layer).

Potentially 'disastrous'

There is no evidence the bug identified by IBM has been exploited "in the wild", but now that a patch has been issued and the problem made public, experts have predicted attacks on out-of-date machines would be "likely".

The bug would have probably been worth more than six figures had it been sold to criminal hackers, the researchers added.

Gavin Millard, from Tenable Network Security, said the fact there had been no known attacks yet should not dampen concerns.

"Whilst no proof-of-concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won't be long until one does, which could be disastrous for any admin that hasn't updated."

Follow Dave Lee on Twitter @DaveLeeBBC