This article is more than 1 year old

DAY ZERO, and COUNTING: EVIL 'UNICORN' all-Windows vuln - are YOU patched?

We will all remember the 11th of November

Security researcher Robert Freeman has discovered an 18-year-old, critical, remotely-exploitable vulnerability di tutti vulnerabiliti which affects just about ALL versions of Windows - all the way back to Windows 95.

The vulnerability (CVE-2014-6332) rated a critical score of 9.3 in all versions of Windows and was described as a rare "unicorn-like" bug in Internet Explorer-dependent code that opens avenues for man in the middle attacks.

The bug bypasses Redmond's lauded Enhanced Mitigation Experience Toolkit along with Enhanced Protected Mode sandbox in the flagship browser and was patched today some six months after it was reported, IBM's Freeman said.

"This complex vulnerability is a rare, 'unicorn-like' bug [that can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine," Freeman said.

"In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years

"In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32)."

Freeman said it was a "matter of time" before corresponding attacks surfaced in the wild.

It was the inclusion of VBScript in Internet Explorer that made the browser the most likely candidate for an attackers, Freeman said.

The discovery of the vulnerability could lead researchers an attackers to probe for more data manipulation bugs which may have been equally overlooked by security types.

"These data manipulation vulnerabilities could lead to substantial exploitation scenarios from the manipulation of data values to remote code execution," he said.

It was difficult to exploit the bug, plugged as part of Microsoft's Patch Tuesday that crushed a string of serious holes, in part because array element sizes were fixed.

The scant opportunity to place arbitrary data where VBScript arrays were stored on the browser heap and the enforcement of variant type compatibility matching further complicated attacks.

Attacks could be launched using existing public research including that described by Freeman.

A separate critical hole (MS14-066) affecting Microsoft's Secure Channel (SChannel) that implemented Secure Sockets Layer and Transport Layer Security protocols was also patched.

That flaw permitted remote code execution in all versions of Windows if attackers sent crafted packets to Windows servers. The patch fixed sanitisation issues in Schannel for crafted packets.

Redmond issued 14 patchesto fix holes across Windows, Office, and .NET while Adobe set out to plug 18 holes in Flash and Air that allowed attackers to hijack user machines by way of remote code execution. ®

More about


Send us news

Other stories you might like