El Reg reports:
The vulnerability (CVE-2014-6332) rated a critical score of 9.3 in all versions of Windows and was described as a rare "unicorn-like" bug in Internet Explorer-dependent code that opens avenues for man in the middle attacks.
The bug bypasses Redmond's lauded Enhanced Mitigation Experience Toolkit along with Enhanced Protected Mode sandbox in the flagship browser and was patched today some six months after it was reported, [IBM security expert Robert] Freeman said.
"This complex vulnerability is a rare, 'unicorn-like' bug [that can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user's machine," Freeman said.
"In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years
"In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32)."
(Score: 3, Funny) by c0lo on Thursday November 13 2014, @03:02AM
Yes, but... will it run on Linux?
(ducks)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @03:45AM
Perhaps it will with the event of .NET becoming opensource :D
(Score: 3, Informative) by Hairyfeet on Thursday November 13 2014, @04:30AM
It won't run on Windows so my guess is no, it won't run on Linux either. For this thing to work they'd have to 1.- Find somebody allowing VBScript from third party websites to run, 2.- No antivirus or antimalware protection at all because otherwise the script would be blocked AND guess exactly which memory pointer (with ALSR? yeah right) has execution AND somehow get a memory leak that would let you somehow cook up a VBScript object that wouldn't get blocked by DEP or stopped by an AV....yeah you got better odds of winning the powerball than pulling this thing off.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
(Score: 1, Interesting) by Anonymous Coward on Thursday November 13 2014, @05:25AM
Let's see: It's rated critical and got a CVSS score of 9.3/10.0.
We all know that M$ doesn't pay any attention to vulnerabilities until the number of victims reachs critical mass.
Ergo, a bunch of Windoze users obviously got zapped.
-- gewg_
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @04:58AM
At least exploiting a 19 year old is legal...
(Score: 5, Insightful) by Whoever on Thursday November 13 2014, @04:36AM
Why should anyone not assume that the NSA has not been aware of it for 19 years?
Also, how many times has Microsoft claimed to have completely re-written Windows? Obviously those claims were "exaggerated"!
(Score: 1) by andersjm on Thursday November 13 2014, @06:47AM
I'll take a wild guess: 0 times.
(Score: 2) by mcgrew on Thursday November 13 2014, @02:23PM
Why should anyone not assume that the NSA has not been aware of it for 19 years?
Why should anyone not assume that the other black hats have not been aware of it for years? I wrote the following in 2002:
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by jcross on Thursday November 13 2014, @02:59PM
I haven't bothered to look into what the bug is (since I'm lucky enough not to have to use Windows), but some kinds of bugs are in the design or protocol itself, and can easily survive a rewrite. These kind of bugs are also often the hardest to fix once you discover them because the design is baked in all over the place.
(Score: 2) by cykros on Thursday November 13 2014, @09:38PM
For the same reason that assuming anything without evidence is a bad idea.
By the same token though, it would be equally foolish to assume the NSA didn't know about this for 19 years.
Acknowledging ignorance on matters on which one is ignorant is probably in this case, as in others, the right way out. Suspicion is one thing, and isn't inherently a problem, but jumping to conclusions based on logical fallacies is hardly something to endorse.
(Score: 2) by aristarchus on Thursday November 13 2014, @04:39AM
Always knew that it would pay off! Hehehe! Wait! No! This is not at all helpful! I have to admit that free software has also had it's share of vulnerablities, quite a few quite recently. And I have to say that people who enthrall themselves to the Dark Side for personal advantage and general suck-up-ishness are still on the whole quite nice people whom I would not trust in a room once the lights went out. Only six months after reported. That's not bad. After having been out there for for 19 years. NSA exploit # 12437709, Probably. Let's leave behind the worst part of the Apple fanbois-ism and Windows paid shills that used to exist on another news site, in an internet far, far away. Wait! (again!) Is this a gewg post! Argh! Hoist by someone's petard! Smells like either oligarchy or a portal to hell, now with more mercury. I stop now, don't hate me.
(Score: 2) by cykros on Thursday November 13 2014, @09:50PM
While I too can be inclined to get a bit smug over a big Windows vulnerability, over the years, I'm inclined to suggest that the fallacy of "open source = secure" actually does more harm than good. Open source software has a LOT of very real benefits without us needing to make things up...and frankly, when we do, we end up bumping elbows with the likes of the systemd crowd...something I don't think we really want.
Software vulnerabilities happen, and while the handling of them can vary a bit from proprietary models to open source, it's not something either side has a silver bullet for. Better to clean up our own side of the street before we go pointing to the mess on the neighbor's side.
(Score: 3, Informative) by wonkey_monkey on Thursday November 13 2014, @08:16AM
19 Year Old Critical Remotely-Exploitable Windows Vulnerability Discovered
It was discovered months ago. It's just been revealed and fixed.
systemd is Roko's Basilisk
(Score: 3, Insightful) by mcgrew on Thursday November 13 2014, @02:36PM
Discovered by the white hats. We don't know how long the black hats have been using it.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by cykros on Thursday November 13 2014, @09:45PM
And while that may grind some gears, truth be told, it's probably better than revealing it and expecting that the majority of companies will be better off not having any real clear path to mitigate the vulnerability. Sure, some I'm sure would rather know immediately and handle it on their own, but given the way most companies I've ever encountered work, frankly, I'd say that this policy of revealing vulnerabilities once there is a patch is often enough more defensible than many would be inclined to suggest.
There is the potential counter argument that companies could at least have the chance to remove access to anything non-mission critical that would help mitigate the issue, but I would argue that if you're leaving services open you don't need, you're already choosing to compromise security best practices anyway. Just because it's a common thing to go chasing after every shiny feature out there doesn't in any way make it a good idea. Getting that through to the executives that fly to shiny things faster than any crow could dream of...well...this is why we drink (though, that analogy I just made has me now wondering if we can all agree that a group of executives, like crows, should probably be called a "murder").
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @05:08PM
/it feels so good