Skip to Content

Microsoft Just Closed a Security Gap That Affected Windows for Decades

Microsoft Corp. Launches Windows 10 In JapanMicrosoft Corp. Launches Windows 10 In Japan

Microsoft (MSFT) sewed up an important security vulnerability this week, which has apparently affected Windows for the past two decades, making it possible to hijack the data flowing over the victim’s network and run malicious code on targeted computers.

The so-called BadTunnel vulnerability was discovered by Yang Yu, the director of Tencent’s (TCEHY) Xuanwu security lab. It allows attacks through a variety of Microsoft products such as Internet Explorer, the new Edge browser and Microsoft Office, as well third-party applications.

Yu, who earned a $50,000 “bug bounty” for reporting the discovery to Microsoft, told security news website Dark Reading that BadTunnel had “probably the widest impact in the history of Windows.”

Get Data Sheet, Fortune’s technology newsletter.

“It can be exploited silently with a near perfect success rate,” he said.

That said, there’s no evidence that the vulnerability has been exploited. Microsoft’s patch this Tuesday listed it as “important” rather than “critical.”

Rather than being an isolated flaw, as such, BadTunnel is a vulnerability that’s made possible by a combination of problems in how Windows handles networking and how Internet Explorer and Edge handle web pages.

In theory, it would someone to attack devices on an intranet from outside the network, despite the use of a protective firewall. Its exploitation would involve duping the victim into visiting a bad web page using Microsoft’s browsers, opening a dodgy Office document, or inserting a malicious USB drive.

For more on cybersecurity, watch our video.

Microsoft’s patch covers all the versions of Windows back from 10 to Vista, as well as versions of Windows Server 2008 and 2012. Windows XP is no longer supported, but it is vulnerable.

Yu will give more information on how individuals and organizations can protect themselves at the Black Hat USA 2016 security conference, which kicks off at the end of July.