MS Patches 20 Year Old Exploit; XP Still Vulnerable

Brandon Dimmel's picture

Microsoft has patched a security vulnerability that somehow evaded detection for roughly twenty years. The bug has reportedly existed in every single version of the Windows operating system since Windows 95.

According to reports, the bug can allow a hacker to execute code remotely when a user visits a malicious website. IBM security expert Robert Freeman says the bug is related to a flaw in VBScript, which first debuted with Internet Explorer 3.0 in the late 1990s. Freeman says that the bug remains invulnerable to Microsoft's anti-exploitation tools, otherwise known as the Enhanced Mitigation Experience Toolkit.

Flaw Called a "Rare, Unicorn-Like Bug"

In fact, Internet Explorer 11's advanced sandboxing features, which provide a controlled set of resources for untrusted programs, cannot effectively counter the threat. That's led Freeman to call the flaw a "rare, 'unicorn-like' bug". (Source: pcworld.com)

There's no substantial evidence to suggest that anyone has ever exploited the flaw, despite the fact that it's been around for two decades. IBM reportedly discovered the flaw six months ago but is only going public with it now that a patch has been made available.

Older Versions of Windows Remain Vulnerable

A patch was recently made available via Microsoft's November Patch Tuesday, but it will only be fixed on systems running Windows Vista and up. In other words, Windows XP and all other earlier versions of Windows remain vulnerable to the flaw because those systems have reached their end of life, and are no longer supported by Microsoft.

IBM says this may not be the only vulnerability to survive. And while this particular bug appears to have eluded hackers, it should be seen as one more reason to move on from the Windows XP operating system to Windows 7 or Windows 8.

November 2014 Patch Tuesday Fixes 14 Vulnerabilities

In total, Microsoft's November Patch Tuesday releases address 14 vulnerabilities in the Windows operating system, Office, and Internet Explorer. That includes four bugs rated "critical", Microsoft's highest security rating. Most of the critical fixes address remote code execution flaws that could allow a hacker to take control of a system if a target visited a malicious website. (Source: networkworld.com)

An additional seven patches are being called "important", Microsoft's second-highest security ranking.

What's Your Opinion?

Are you still using Windows XP or any other earlier versions of Windows? If so, are you worried that vulnerabilities like this are no longer patched by Microsoft? Do you plan to upgrade your computer's operating system or buy a new computer in the near future?

Rate this article: 
Average: 4.6 (9 votes)

Comments

Boots66's picture

Yes, at home I have upped the works to a whole new system with Win 8.1 Pro - the latest offered a short time ago. But at home I still have my Win XP Pro box running (carefully), and at work we are still using Win XP Pro.
Why - At work - so many applications need to be tried out on new OS's and then it has to be made sure that there will be no crashes, lost info, or any OPPS!
At home, I am still more comfortable working on that XP desktop, knowing where things are file-wise, inoformation-wise and how to set things up. My kids also have incoming courses where some of the material still requires some of the older apps on my Win XP box to work - I could work to see if I could backdate them to work on Win 8.1 Pro, but again, I am really comfortable still with Win XP - It took me long enough to learn it, it is taking me as long to let it go. As far as I feel, they should still be supporting it!

tmd_3514's picture

I still run XP machines at work. One keeps trying and failing to install .net updates, so I've turned off its updates. But the other still has them enabled, and did run an update overnight Tues. Wouldn't that have been this?

I can't figure out how to view what updates have been installed, so can't tell.

Dennis Faas's picture

Microsoft is not supporting XP anymore, so you definitely didn't get this latest patch. If you need help figuring out which updates you have, I can help with that. I can also help fix any Windows machine(s) if they are stuck and not receiving updates; simply use the Contact link at the top of this page if you want to get in touch.

george.hooi_3516's picture

Like many other XP users, it has taken me time to learn about the OS including its different vulgarities and to be forced into re-learning everything new again in a new OS is daunting, to say the least. Besides that, who really has the extra time to do that these days between a hectic working schedule, and home and social life? Finally, consider too, the cost of upgrading the software, the apps and the peripheral legacy hardware like scanners and digitizers. Are we, the homeowners, made of money? The upgrade OS are already expensive - and many don't like being treated as "cash cows" for new OS versions that do not give us any real good reason for upgrading except that the old OS is no longer to be supported. This sounds too much like a manipulated product obsolescence tactic. And so, the hanging on to XP until I strike lottery, or get a windfall gain from a deceased relative estate, or a pay rise or manage to save up enough for what I see as a discretionary expenditure than as a necessity to support M$.

petershaw's picture

Can I suggest a solution for George_hooi? I recently messed around with Linux Mint Cinnamon and installed it in it's own partition on my Vista laptop. Since then I've rarely returned to Windows. It runs the vast majority of software I need and could probably run most of the rest if I took the time to discover how! Everything seems to happen faster such as startup which is a fraction of the time Vista takes on my now aging machine. I've still got Firefox, Chrome, LibreOffice, Google Earth, Picasa, Spotify, Skype to name a few of the wonderful programs I am grateful to use for free.

I'm not a Microsoft knocker and rather like Windows 8.1 on my wife's laptop but Linux nowadays offers a no cost viable alternative to aged versions of Windows and has a familiar graphical interface with a small learning curve. Underneath the GUI I've no skills or ability at all with Linux commands which is testament to how well it works.

Dennis Faas's picture

Most folks using Windows prefer to use Windows because it's widely used, familiar, and because it runs many programs already in use all over the world.

If you switch to Linux, please keep in mind that you won't be able to run Windows programs UNLESS you install a third-party program (such as Wine) to translate Windows API calls. There may be program incompatibilities, bugs, and additional processing overhead depending on what application you're using if you go this route.