Robert Freeman, manager of IBM X-Force, said that it told Microsoft about the bug in May this year and at last Microsoft is fixing it.
The bug can be used by crooks in so called “drive by” attacks to run code remotely and take over peoples’ PCs.
Freeman said that there may well be other bugs that go back decades. “This vulnerability has been sittting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library,” he said.
He said that although his unit hadn’t found any evidence that the bug had been exploited, it “would have fetched six figures on the grey market”.
You can find more of IBM’s findings at Freeman’s blog, here.