At this late date, you’d like to think that all the really nasty vulnerabilities in legacy Windows systems have been identified. Wishful thinking. On Tuesday, Microsoft issued a patch for a critical, remotely exploitable vulnerability affecting Windows systems going back to Windows 95, one of 14 software fixes the company released.
The vulnerability in Microsoft’s OLE (Object Linking and Embedding) code is associated with CVE-2014-6332 and is already being used in targeted attacks online. It is among the most serious discovered in recent years, exposing Windows systems to remote attacks that can bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and Enhanced Protected Mode sandbox in the Internet Explorer browser.
The vulnerability was discovered six months ago and patched, officially, on Tuesday with MS14-064, which fixes a related OLE vulnerability, CVE-2014-6352).
Microsoft has also released a stop-gap tool that customers can use in lieu of the full patch. Microsoft has also issued an update to its EMET (Enhanced Mitigation Experience Toolkit), version 5.1, to accompany the patch. As the folks at Threatpost note: the Redmond, Washington, company is advising its customers to scan affected systems with the latest version of EMET prior to applying the patch.
MS14-064 received a criticality score of 9.3 and is described as a rare bug in Internet Explorer that opens avenues for man in the middle attacks. Microsoft first warned about the OLE hole in October.
The OLE fix was one of fourteen security fixes issued on Microsoft’s November Patch Tuesday. The folks over at Tripwire have a nice write-up of all the patches as well as links to related material.