Microsoft has issued an emergency security patch for a newly detected critical zero-day vulnerability in the Internet Explorer (IE) web browser.
The remote code execution vulnerability, which Microsoft said is already exploited in the wild, affects IE7 to 11 on client and server operating systems.
Microsoft Edge, the default Windows 10 web browser, is not influenced by the vulnerability, which exists when affected versions of IE “improperly access objects in memory”.
According to Microsoft’s security bulletin, the IE vulnerability is rated critical for all client operating systems and moderate for all server operating systems.
Microsoft has released security updates for all affected and supported versions of Windows. These patches are available through Windows Update and Microsoft’s Download Center.
“The security update addresses the vulnerability (CVE-2015-2502) by modifying how Internet Explorer handles objects in memory,” Microsoft said.
The update is listed as a “cumulative update for Windows 10 (KB3081444)” and listed with the code KB3087985 on previous versions of Windows.
The update KB3078071 is a prerequisite for that update on Windows 8.1 and 7 and Windows Server 2008 R2 and 2012 R2.
Attackers can create web pages, HTML emails or web ads that exploit the vulnerability. No user interaction is required.
Successful exploitation of the flaw could give attackers the same rights as the current user on the system. Removing administrative rights from users would limit the impact of any exploit.
If the logged-in user has administrative rights, a complete takeover of the system is possible as it would allow the attacker to do things like modify system settings, create or modify user accounts and install or remove software.
According to Microsoft, its Enhanced Mitigation Experience Toolkit (Emet), helps mitigate the attack if it is configured correctly to work with IE.
Microsoft said it recognises the efforts of those in the security community who help the company protect customers through co-ordinated vulnerability disclosure, naming Google researcher Clement Lecigne in connection with the IE memory corruption vulnerability.
Not all businesses will be able or willing to roll out an IE security patch instantaneously across its enterprise, said independent security consultant Graham Cluley.
“Microsoft customers will no doubt be pleased to hear Emet mitigates against the vulnerability, although – of course – this should only be considered a temporary measure and a proper security patch is what is ideally required,” he wrote in a blog post.
Cluley notes this is far from the first occasion when Emet has provided an additional level of defence for an organisation. “It’s a shame so few companies appear to be aware of this powerful tool,” he said.
According to Cluley, the secret to protecting a business is to adopt a layer defence, using a variety of technologies. “After all, there’s no indication zero-day vulnerabilities are drying up,” he said.
This is the second emergency patch released in the past couple of weeks. Microsoft released the bulletin MS15-078 on 20 July for all supported operating systems that addresses a critical vulnerability in Microsoft Font Driver.