Microsoft patches two-decade crack in Windows software

Microsoft issued an emergency patch Wednesday for a dangerous flaw that has existing in Windows operating software for nearly two decades.

The vulnerability, disclosed by IBM security researchers, has been in every Windows operating system since 1995 and could allow a hacker to take control of computers after luring Internet Explorer browser users to booby-trapped Internet pages.

A hacker who successfully exploited the weakness could have the same control of a machine as the user, but taking advantage of the flaw was deemed “tricky” and there was no evidence hackers had managed to pull off such a move.

“We released Security Bulletin MS 14-064 to help protect customers against this issue and customers with automatic updates enabled do not need to take an action as they are automatically protected,” Microsoft said in an email response to an AFP inquiry.

Robert Freeman of IBM X-Force said in a blog post: “This complex vulnerability is a rare, ‘unicorn-like’ bug found in code that IE relies on but doesn’t necessarily belong to.

“The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine.”

The software fix, labeled “critical” by Microsoft, was one of 32 patches released by the US technology titan as part of its routine update cycle.

Windows powers about 90 percent of computers worldwide.