As part of this week's Patch Tuesday cycle, Microsoft rolled out an update for a critical security flaw that's been present in Windows since the launch of Windows 95. IBM's X-Force Research team discovered the bug, they note it's been remotely exploitable since the introduction of Internet Explorer 3.0 and that attackers can bypass IE11's Enhanced Protected Mode (EPM) and Microsoft's
Enhanced Mitigation Experience Toolkit (EMET).
First, this means that significant vulnerabilities can go undetected for some time. In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years. Looking at the original release code of Windows 95, the problem is present. With the release of IE 3.0, remote exploitation became possible because it introduced Visual Basic Script (VBScript). Other applications over the years may have used the buggy code, though the inclusion of VBScript in IE 3.0 makes it the most likely candidate for an attacker. In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32).