Microsoft has rushed out an emergency, out-of-band patch to fix a “critical” zero-day security flaw in the Internet Explorer web browser – one that, it warns, hackers may already be exploiting.
The vulnerability, CVE-2015-2502, enables remote code execution, according to Microsoft bulletin MS15-093.
“The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” according to the Bulletin.
Not only that, but the security flaws affects Microsoft operating systems almost across the board, including Windows Vista, Windows 7, Windows 8, Windows RT, Windows Server 2008 and 2012 – and even IE running on Windows 10, Microsoft’s latest operating system that it only launched last month.
Microsoft Edge – which Computing has found to be riddled with bugs – is not affected by the security flaw. 7
“The CVE-2015-2502 memory corruption vulnerability exists because IE does not properly manage certain objects in memory. The vulnerability is rated critical for Windows non-Server operating systems,” says Lane Thames, a software development engineer at Tripwire. “However, the vulnerability is rated moderate for Windows Server platforms including Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2.”
According to Tripwire, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) ought to help mitigate the vulnerability, although patching would be preferable. “This is far from the first occasion when EMET has provided an additional level of defence for an organisation, and it’s a shame that so few companies appear to be aware of this powerful tool,” wrote security specialist Graham Cluley for the Tripwire blog.
He continued: “The secret to protecting your business is to adopt a layer defence, using a variety of technologies. After all, there’s no indication that zero-day vulnerabilities are drying up.”
The flaw is so serious that Windows users have been urged to update ASAP – but many running Windows 7 may miss out on their usual Windows Update notifications and fail to do so.
Following the upgrade campaign, Windows 7 users who have opted to receive the upgrade, but not yet done so, have ceased to receive Windows Update notifications. In addition, when Windows 7 users run Windows Update, only the “upgrade” tick-box is checked – not the “important” security updates, as usual.