Nearly two-decade old Windows bug Unicorn now saddled, bridled by security experts
If you’ve been putting off running your Windows Update, then you might want to end that procrastination. On Nov. 11, Microsoft released a patch for a bug that was discovered in May but which has been around since Windows 95, and it’s a big one.
Technically named CVE-2014-6332 but less formally referred to as “Unicorn,” the bug was found in Microsoft’s OLE code by IBM researchers, and was kept secret for most of the year as they worked on a fix for it. The bug has been around since Internet Explorer 3.0 and has bled into every subsequent version of Windows. All affected operating systems are theoretically vulnerable to a remote code execution (RCE) attack, which allows the attacker the same access and privileges the user would have.
This can be extremely detrimental to a user who is logged in with admin privileges: The attacker would have practically unlimited power to change computer settings in any manner they wanted. This doesn’t mean, however, that users who are logged in with limited access are out of the woods. Having gained remote access, many hackers will begin trying to expand their reach, and are sometimes successful obtaining admin privileges they did not start out with.
Though initially there was no indication that the exploit had ever been used, the publication of the bug and its patch was followed by a rash of CVE-2014-6332 attacks. On the same day the patch was announced, a Chinese researcher published a Proof of Concept for the exploit, and a “metasploit” was released the day after.
Following that, NSS Labs, a leading cybersecurity research and advisory firm, discovered the bug had been used on a South Korean website, while researchers from the antivirus firm ESET found a major Bulgarian news website had been compromised. NSS Labs reported watching for the vulnerability to start appearing in exploit kits.
IBM research manager Robert Freeman accidentally gave the vulnerability its name when, writing about its complexity and rareness, he referred to it as a “unicorn-like bug.” In a more sober vein, he also said attackers can use it for “drive-by” attacks to reliably run code and hijack machines remotely, and noted that it can bypass both the Enhanced Protected Mode sandbox in IE 11 and the Enhanced Mitigation Experience Toolkit, an anti-exploit tool of some caliber.
Freeman also worried about the bug’s age, pointing out that not only had the code been used in every OS since Windows 95, but also the possibility that there might be other bugs out there, and that after Unicorn, hackers will be looking for them.
Unicorn is a hacker’s dream. Any Windows OS from the last 19 years is made vulnerable just by visiting a specially designed webpage on Internet Explorer. Given certain conditions, there’s nothing the user can do to stop the hack. Yet although the bug is dangerous, it’s also fairly easy to avoid. Anyone using Internet Explorer should double check to be sure they’re caught up on their updates, and anybody using an alternative browser is home free.