El Reg reports:
The vulnerability (CVE-2014-6332) rated a critical score of 9.3 in all versions of Windows and was described as a rare "unicorn-like" bug in Internet Explorer-dependent code that opens avenues for man in the middle attacks.
The bug bypasses Redmond's lauded Enhanced Mitigation Experience Toolkit along with Enhanced Protected Mode sandbox in the flagship browser and was patched today some six months after it was reported, [IBM security expert Robert] Freeman said.
"This complex vulnerability is a rare, 'unicorn-like' bug [that can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user's machine," Freeman said.
"In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years
"In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32)."
(Score: 2) by cykros on Thursday November 13 2014, @09:38PM
For the same reason that assuming anything without evidence is a bad idea.
By the same token though, it would be equally foolish to assume the NSA didn't know about this for 19 years.
Acknowledging ignorance on matters on which one is ignorant is probably in this case, as in others, the right way out. Suspicion is one thing, and isn't inherently a problem, but jumping to conclusions based on logical fallacies is hardly something to endorse.