clock menu more-arrow no yes

Filed under:

Microsoft patches critical bug that affects every Windows version since 95

New, 40 comments

A 19-year-old flaw

Microsoft has patched a critical flaw in Windows that has existed in every version since the introduction of Windows 95 more than 19 years ago. IBM security researchers discovered the flaw earlier this year and notified the software giant privately in May. The rare bug allows attackers to remotely execute code on an affected system just by convincing Windows users to visit a URL in Internet Explorer. IBM says the exploit can be triggered on Internet Explorer 3.0 onwards, and every currently supported version of Windows is affected.

"This vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library," says IBM researcher Robert Freeman. While Microsoft is providing patches for Windows 8.1, Windows 7, Windows Vista, and its various server releases, the company stopped supporting Windows XP earlier this year so consumers will not be protected if attackers attempt to exploit the bug. There’s no evidence this bug is being exploited in the wild yet, but it has been rated 9.3 out of 10 on the Common Vulnerability Scoring System (CVSS) so it’s well worth patching through Windows Update if you haven’t already.