14 DAY TRIAL // A rare data manipulation security weakness affecting Microsoft’s operating system starting Windows 95 received a fix on Tuesday as part of the monthly updates released by the company; it can be used by a threat actor in drive-by download attacks.
The flaw exists in code used by Internet Explorer and has survived security mechanisms such as the Enhanced Protected Mode (EPM) in IE 11, and leveraging it evaded even the detection from Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) anti-exploit utility.
Glitch has been remotely exploitable for 18 years
Experts from IBM’s X-Force security research and development unit discovered the glitch and reported it to Microsoft in May this year, providing a proof-of-concept.
They say that it has been available in code written 19 years ago and it could have been exploited remotely to take control of an unpatched system for the last 18 years.
“Looking at the original release code of Windows 95, the problem is present. With the release of IE 3.0, remote exploitation became possible because it introduced Visual Basic Script (VBScript).
“Other applications over the years may have used the buggy code, though the inclusion of VBScript in IE 3.0 makes it the most likely candidate for an attacker. In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32),” says researcher Robert Freeman.
This is not the only glitch that escaped the scrutiny of developers and researchers. The most recent case is the one of the Shellshock bug in Bash command interpreter for Linux and Unix systems, which laid hidden for more than 20 years before it was discovered.
The vulnerability is now tracked as CVE-2014-6332 and at the moment there is no evidence that it has been taken advantage of in the wild.
Attackers would have a tough time leveraging the flaw
Freeman says that exploiting the bug is not simple because of the fixed size of the array elements in VBScript. On the same note, two other issues complicate things even more.
“The first is that there is little opportunity to place arbitrary data where VBScript arrays are stored on the IE heap. The second issue is that, assuming you are now addressing outside the bounds of your VBScript array (Safe Array), you will find the unpleasant enforcement of Variant type compatibility matching,” the researcher explains.
However, given the age of this bug, it is possible that cybercriminals take a look at old code in order to find more data manipulation vulnerabilities that can be capitalized in malicious activities.
Freeman believes that a bug of this nature could be worth upward of $100,000 / €80,000 on the vulnerability exchange market.
