Microsoft has issued emergency patches for a flaw that affects all supported versions of Windows. It’s a nasty one – a vulnerability in Windows’ implementation of the protocols for encrypting internet communications.
The critical flaw lies in Secure Channel (Schannel), a security package – used by Internet Explorer — that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. While there’s no evidence of its exploitation yet, it allows attackers to remotely execute code on the target’s machine and take it over, so it is imperative that all Windows users run an update immediately.
The CVE-2014-6332 vulnerability, dubbed “WinShock” by someone because scary things need catchy names, was found by IBM‘s X-Force Research team and reported to Microsoft in May. In a Tuesday blog post, X-Force manager Robert Freeman noted that it had been present in Microsoft’s operating system since Windows 95, if not earlier.
Freeman wrote that the bug has been remotely exploitable for 18 years, adding that the length of time it went undetected means there may be more bugs in Windows that relate to arbitrary data manipulation.