Internet Explorer 3 Security Flaw Finally Fixed After 18 Years

here. The flaw existed in code used by Internet Explorer, starting version 3, and apparently survived a number of security mechanisms in place, including Enhanced Protected Mode (EPM). It even evaded the anti-exploit utility in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Luckily security experts from the IBM X-Force security research and development unit discovered the glitch. As explained by researcher Robert Freeman:

“Looking at the original release code of Windows 95, the problem is present. With the release of IE 3.0, remote exploitation became possible because it introduced Visual Basic Script (VBScript). Other applications over the years may have used the buggy code, though the inclusion of VBScript in IE 3.0 makes it the most likely candidate for an attacker. In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32).”
So essentially, this was a security issue that had been lying around for the past 19 or so years, only to be discovered in May this year, when the IBM team provided a proof of concept to Microsoft. Quite similar to the Shellshock bug that was hidden for 20 years on Linux. Anyway, this particular vulnerability is now being tracked as CVE-2014-6332, and luckily, there have been no signs of it being exploited in the wild.]]>

Free Windows 10 Training Videos

More Related Articles

Leave a Reply