Microsoft Patches Ancient Vulnerability

Monday, November 17, 2014 @ 09:11 AM gHale

A data manipulation security weakness affecting Microsoft’s operating system starting all the way back with Windows 95 received a fix on Patch Tuesday.

The flaw, which that can end up used in drive by attacks, exists in code used by Internet Explorer and has survived security programs such as the Enhanced Protected Mode (EPM) in IE 11, and leveraging it evaded even the detection from Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) anti-exploit utility.

Patch Tuesday for Software, OS, Apps
New Windows Zero Day
Microsoft Mulls a Patch for The Patch
Patch Tuesday Fixes 3 Zero Days

Researchers from IBM’s X-Force security research and development unit discovered the glitch and reported it to Microsoft in May this year, providing a proof-of-concept.

They said it has been available in code written 19 years ago and it could have suffered from remote exploitation to take control of an unpatched system for the last 18 years.

“Looking at the original release code of Windows 95, the problem is present. With the release of IE 3.0, remote exploitation became possible because it introduced Visual Basic Script (VBScript).

“Other applications over the years may have used the buggy code, though the inclusion of VBScript in IE 3.0 makes it the most likely candidate for an attacker. In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32),” said researcher Robert Freeman in a blog.

The vulnerability’s case number is CVE-2014-6332 and at the moment there is no evidence attackers have used it in attacks.

Freeman said exploiting the bug is not simple because of the fixed size of the array elements in VBScript. On the same note, two other issues complicate things even more.

“The first is that there is little opportunity to place arbitrary data where VBScript arrays are stored on the IE heap. The second issue is that, assuming you are now addressing outside the bounds of your VBScript array (Safe Array), you will find the unpleasant enforcement of Variant type compatibility matching,” he said in the blog.

Leave a Reply

You must be logged in to post a comment.