Microsoft has patched a flaw connected to the Stuxnet virus, which in 2009 attacked Iranian nuclear centrifuges in a suspected act of cyber war.
The software vendor claimed to have fixed the bug in Microsoft Windows back in 2010, but research from HP indicated that the patch did not work, meaning that customers have been exposed for more than four years.
Dave Weinstein, a security researcher at HP, said: "In early January of 2015, researcher Michael Heerklotz approached ZDI (Zero Day Initiative) with details of a critical vulnerability in the Microsoft Windows operating system.
"The vulnerability demonstrates that a security patch released by Microsoft in August 2010 does not, in fact, fix the CVE-2010-2568 .LNK issue first widely reported in Stuxnet – leaving all Windows machines vulnerable ever since."
The complexity of Stuxnet led many researchers to conclude that it received the backing of a state, with later evidence connecting it to the US and Israel, who both oppose Iran’s nuclear enrichment programme.
Alongside the fix for Stuxnet, Microsoft also patched the recently uncovered Freak bug, which allowed hackers to intercept communications over the SSL security layer under certain conditions.
The problem dates back to decades old US export controls over encryption, with the bug inadvertently forcing communications to be sent along a weaker security protocol even when a stronger one is available.
"Initially, it was thought that only OpenSSL (versions prior to 1.0.1k) and Apple TLS/SSL clients were vulnerable to man-in-the-middle (MitM) attacks, but later research revealed that Microsoft products were at risk as well," said Danielle Veluz, technical communications at security vendor Trend Micro.
Microsoft has also updated its Malicious Software Removal Tool to enable it to remove Superfish, a piece of adware that caused controversy after US authorities warned the public it was a cybersecurity risk.