As if we needed further proof that the Internet is truly the Wild Wild West, Microsoft has swooped in with the latest cybersecurity nope: a bug that has been stalking Windows users for 20 years.

We repeat: Twenty years.

The vulnerability is present in all versions of Microsoft Windows and allows non-authorized users to run code that will give them full access to your machine. In other words, it allows hackers in.

That bug had been living within an obscure legacy Microsoft protocol called CTF for two decades. CTF is part of the Windows' Text Services Framework, meaning computers running Windows connect to CTF to controls things like keyboard layout and text input methods.

youtubeView full post on Youtube

Tavis Ormandy, a researcher with Google Project Zero—a group of cybersecurity experts tasked with finding secret hackable bugs that are exploited by state-sponsored hackers and criminals—first found the flaw.

In May, he reported his findings to Microsoft. After the company did not address the issue after 90 days, Ormandy released details to the public earlier this week.

“These are the kind of hidden attack surfaces where bugs last for years," Ormandy wrote in a blog post. "It turns out it was possible to reach across sessions and violate NT security boundaries for nearly 20 years, and nobody noticed.”

This design flaw allows hackers to compromise an app, which can then launch new programs to take over. And if the first application was running with elevated privileges, the next program will also open with authorized privileges that were never granted.

    In practice, that means a bad actor could take over your Notes application and then open any other program that runs CTF, including your Internet browser.

    To ensure your machine running Windows is safe, download the latest security updates from Microsoft. On Tuesday, the software company released the patch for this vulnerability.

    Windows has auto updates by default, so you may not have to do anything. If you have auto updates turned off, though, switch them back on and download the patch.

    Source: Ars Technica

    Headshot of Courtney Linder
    Courtney Linder
    Deputy Editor
    Before joining Pop Mech, Courtney was the technology reporter at her hometown newspaper, the Pittsburgh Post-Gazette. She is a graduate of the University of Pittsburgh, where she studied English and economics. Her favorite topics include, but are not limited to: the giant squid, punk rock, and robotics. She lives in the Philly suburbs with her partner, her black cat, and towers upon towers of books.