Microsoft Corp. has finally patched a critical bug in its software which had been there since the last 19 years but remained undiscovered. The bug named WinShock is present in every version of the most popular operating system from Windows 95 onward. It allows attackers to take over a computer remotely and control it. The bug was finally discovered by IBM Corp’s cybersecurity research team in May but they worked with the Microsoft team and fixed the patch before they went public about the “significant vulnerability” in the operating system.
The bug, if not fixed, can allow hackers use the software’s Secure Channel technology, which handles SSL and TLS encryption, to take over the computer. Unsuspecting users only need to visit a maliciously coded website to trigger the bug, after which cyber criminals can swipe cryptographic keys and theoretically spy on all their communications. Windows users are, therefore, being urged to download updates.
Windows users need not panic since they can simply grab the fix and move on though it will continue to be a headache for employers or sites visited by them because most companies are cautious about installing updates- not wanting to get into infrastructure problems. Those keen to avoid such attacks, however, will have no option but to update their software as soon as possible.
Microsoft has addressed the problem in its monthly security update – releasing 14 patches, with two more expected to be rolled out soon.
In a blog post explaining the vulnerability in depth, IBM researcher Robert Freeman wrote: “The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine.”
A drive-by attack, in computer security, typically refers to users downloading malicious software.
The vulnerability has been graded as 9.3 out of a possible 10 on the Common Vulnerability Scoring System (CVSS), a measure of severity in computer security.
WinShock is being compared to other major problems with the operating system which came to light earlier this year. The Heartbleed bug, for example. Experts are worried that with the problem being made public, there could be lots of attacks on out-of-date machines. The bug would have probably been worth more than six figures had it been sold to criminal hackers, the researchers added. Gavin Millard, from Tenable Network Security, said the fact there had been no known attacks yet should not dampen concerns.