However, I could not find anything about if the bug in gets is fixed or not i.e. whether gets, scanf, fscanf etc. check for bounds on input buffers or not.
With some understanding how C works or a look at the documentation it is actually hard to miss that these bugs are not fixed and cannot be fixed while keeping the same function interface.
Given that these functions only get a pointer to a buffer (char*) and not the size of the buffer and given that there is no implicit size is associated with the buffer in C, it is impossible for these functions to check the (unknown) bounds. This means it is impossible to fix these insecure-by-design functions will keeping the API.
This is even clearly described for example in man gets:
Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Use fgets() instead.
Also, is there any study or estimate about what would be the cost if someone is able to launch an attack similar to that today?
I'm not aware of any serious research and I could not imagine any since there are too much unknowns: how far could the worm spread, what is the actual damage it does on each system... But, if such a worm is successful the damage will be much higher than in the past since way more systems are connected together and also the criticality of these systems is much higher. I recommend to have a look at recent attacks like WannaCry.
