On Tuesday, Microsoft released a bunch of security updates for its currently-supported versions of Windows. Apparently its purpose was to fix an exploit that's been in every single one of its operating systems all the way back from Windows 95. Below is a statement that was sent from IBM, the discoverers of this vulnerability to Microsoft:
"This complex vulnerability is a rare, "unicorn-like" bug found in code that IE relies on but doesn't necessarily belong to. The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user's machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free."
IBM said this flaw has allowed every version of Windows to be remotely exploited since the release of Internet Explorer 3.0 in 1996. So far, there's no evidence that hackers have found and have been using this security hole for attacks. However, the BBC quotes Gavin Millard, from Tenable Network Security, as saying:
"Whilst no proof-of-concept code has surfaced yet, due to Microsoft thankfully being tight-lipped on the exact details of the vulnerability, it won't be long until one does, which could be disastrous for any admin that hasn't updated."
All unsupported versions of Windows, especially Windows XP are at risk since they wont be getting any security updates, Windows XP specifically because according to Net Applications, Windows XP is still being used by 17.18% of PCs worldwide.
No comments:
Post a Comment