The bug has existed in every version of Windows since Windows 95, and would have allowed an attacker to run code remotely when the user visits a malicious website. IBM researcher Robert Freeman described the vulnerability as “rare, ‘unicorn-like’ bug found in code that IE relies on but doesn’t necessarily belong to.”
According to Freeman, the bug relies on a vulnerability in VBScript, which was introduced in Internet Explorer 3.0. Even today, the bug is impervious to Microsoft’s anti-exploitation tools (known as Enhanced Mitigation Experience Toolkit) and the sandboxing features in Internet Explorer 11.
The good news is that there’s no evidence of anyone actually exploiting this vulnerability in the wild, and doing so would be technically tricky. IBM first reported the issue in May, and is only making it public now that a patch is available.
Of course, Microsoft’s latest patch only applies to Windows Vista and higher, as support for Windows XP ended in April. So if you’re running a 13-year-old operating system, you’ll have to grapple with a critical bug that’s even older.
Why this matters: As IBM points out, the discovery shows how significant vulnerabilities can evade detection for many years. But it also highlights a type of vulnerability—one that involves arbitrary data manipulation—that is fairly uncommon. IBM warns that there could be other, similar bugs that haven’t been discovered yet, with multiple exploitation techniques for attackers to install keyloggers, screen grabbers and remote access tools. Users are just lucky this one was caught—eventually.