Microsoft Corporation (NASDAQ:MSFT) recently release an emergency patch to fix a 19-year-old software bug. Last May, researchers from International Business Machines Corp. (NYSE:IBM) first discovered the bug that affects both Windows and Office products.
Microsoft’s latest bug issue
The bug has been in every single version of Windows, starting with Windows 95. The bug presented a problem which would allow attackers to easily exploit the bug to control a computer via remote means. The software maker has since addressed the issue and issued 14 patches. The company plans to release two more patches.
Robert Freeman (researcher for IBM) elaborated in a blog post, “The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine.”
A drive-by attack means users are forced to download malicious software. IBM claims the bug has been sitting in plain sight. It also exists in the Windows Server Platforms, which puts the security of encrypted websites at risk. This is related to Microsoft’s Secure Channel (often referred to as Schannel), which is used to implement secure data transfer.
How the latest bug compares to Heartbleed
Schannel joins the long list of security standards discovered to have a major flaw. Other standards in this list include Apple SecureTransport, GNUTLS, OpenSSL, and NSS. This latest bug has been compared to Heartbleed, a bug that affected people last year. It was reported that though the recent bug could be just a significant as last year’s, it may be harder for attackers to exploit. The Heartbleed bug exploited vulnerabilities utilized transferred secure data (Secure Sockets Layer).
At press time, there is zero evidence the new bug was exploited before it was discovered. However, now that the bug is known to the public and the patches came out, it is likely there will be attacks on out of date machines. This bug would have been worth over six figures.