Skip to content ↓ | Skip to navigation ↓

Yesterday, Microsoft patched a significant vulnerability that has been exploitable in every version of Windows since Windows 95.

Robert Freeman, Manager of IBM X-Force, a research team that analyzes attack vectors across multiple industries, first discovered the CVE-2014-6332 vulnerability back in May of this year. Since then, IBM and Microsoft have been collaborating on a fix.

In a recent blog post, Freeman revealed how the bug received a 9.3 out of 10 CVSS score, making it particularly unique.

“This complex vulnerability is a rare, ‘unicorn-like’ bug found in code that IE [Internet Explorer] relies on but doesn’t necessarily belong to,” explains Freeman.

Freeman goes on to explain that “Winshock,” as some researchers are calling it, can be used for drive-by attacks, all the while bypassing the Enhanced Protected Mode (EPM) sandbox in IE 11, as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free.

At this time, there is no evidence that the bug has been exploited in the wild.

This is perhaps in part due to the difficulty of exploiting CVE-2014-6332. Fixed array element sizes, few opportunities for attackers to place arbitrary data where VBScript arrays were stored on the browser heap, and the enforcement of variant type compatibility all have complicated attackers’ attempts up until recently.

However, Freeman and his researchers suspect this will change now that the vulnerability has been announced, especially with regards to attackers compromising out-of-date machines.

It is therefore recommended that all Windows users install the necessary patches.

Winshock was patched on November’s Patch Tuesday, along with 13 other vulnerabilities.

This included MS14-066, a patch for Microsoft Secure Channel (Schannel) on which Winshock has also been observed.

Schannel provides SSL and TLS encryption and authentication services for web browsers that don’t have their own libraries, which includes Internet Explorer.

Despite the difficulty of exploiting the Winshock vulnerability, researchers are already comparing it to other significant bugs, including Heartbleed.

Hacking Point of Sale
  • bob

    Your article refers to this as a browser vulnerability but makes no reference to server vulnerability. OTOH Microsoft's site refers to it as a server vuln, but is non-specific on what Windows services might be affected. Is it only IIS? IIS running an SSL website? Networked file servers not running IIS on an intranet?

  • brain2000

    Be careful, the patch for this causes the LSASS.EXE process CPU to skyrocket on Web and SQL servers.