IBM first reported the issue to Microsoft in May, and is only discussing it publicly now that a patch is available. The good news is there's no evidence of anyone actually exploiting this vulnerability, probably for the same reason it went undetected for 19 years.
The general reaction on the Web and Twitter seemed to be mirth, but I have to ask – how does a bug go undetected for 19 years? The defective code should have been revisited at some point, if not outright discarded.
The most amazing part to me was that the bug survived the migration from the Windows 9x codebase, that 16/32-bit kludge of code, to the more solid 32-bit product starting with Windows 2000. But what this shows is that no matter how many revisions to an operating system, some stuff is reused over and over, even when it's supposed to be a whole new product.
The other issue it reveals is that old code often doesn't get revisited. Mike Cherry, an analyst with Directions on Microsoft, said the code might have been a simple function that does one job and once it was running, no one ever thought about whether this could this be exploited. "So in the testing, no one ever thought about exploiting it and it was never found in testing or in the wild," he told me.
Rob Enderle of The Enderle Group noted that the bug was in IE, which has to maintain compliance with Web standards, including the ones Microsoft made. So Microsoft didn't really fiddle with the VBScript code because it had to maintain backward compatibility with old Web pages that might have used VBScript.
Don't think there aren't a lot of old, junk Web pages out there. Companies have old press releases and product pages, news publications have stories dating back to the 1990s, and so on.
Then there's another reality about software development – code often doesn't get revisited because the developers move on or leave the company, and no one bothers to revisit it. Think about it. The chances are very good that the Internet Explorer team is relatively new to the software, certainly since IE's start. They've got code from the 1990s in there that they don't know, works just fine, and the original coders are gone. At that point, they are just going to leave it alone.
So there's likely the chance of other decades-old bugs out there. And with so much to be done today, who's going to go back and look for them? That would be almost a punishment.