Internet Explorer 3, really? Microsoft paid attention to security since Windows 95, but it was really at the start of the last decade that things went into overdrive in terms of safety measures.
And it seems a rare data manipulation security weakness from the old age has just been fixed.
The issue started affecting the operating platform after Windows 95 and continued to this day, more or less 18 years. Redmond finally got around fixing the issue as part of this month’s security updates release, which you can find more about here.
The flaw existed in code used by Internet Explorer, starting version 3, and apparently survived a number of security mechanisms in place, including Enhanced Protected Mode (EPM).
It even evaded the anti-exploit utility in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
Luckily security experts from the IBM X-Force security research and development unit discovered the glitch. As explained by researcher Robert Freeman:
“Looking at the original release code of Windows 95, the problem is present. With the release of IE 3.0, remote exploitation became possible because it introduced Visual Basic Script (VBScript).
Other applications over the years may have used the buggy code, though the inclusion of VBScript in IE 3.0 makes it the most likely candidate for an attacker. In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32).”
So essentially, this was a security issue that had been lying around for the past 19 or so years, only to be discovered in May this year, when the IBM team provided a proof of concept to Microsoft.
Quite similar to the Shellshock bug that was hidden for 20 years on Linux.
Anyway, this particular vulnerability is now being tracked as CVE-2014-6332, and luckily, there have been no signs of it being exploited in the wild.