Microsoft issues emergency patch for zero-day IE flaw being exploited in the wild

Microsoft issued an emergency out-of-band security update on Tuesday to address a zero-day vulnerability in Internet Explorer. All supported versions of Internet Explorer need to be patched as the remote code execution vulnerability is actively being exploited in the wild. While some publications have reported the hole is not being exploited, Microsoft listed "yes" under "exploited."

MS15-093 is rated critical for Internet Explorer 7 to 11, which happen to be all supported versions of IE on Windows clients; it's rated moderate for Windows servers. The patch addresses the vulnerability by modifying how IE handles objects in memory.

Regarding the vulnerability CVE-2015-2502, Microsoft wrote:

Windows accounts that were setup to have fewer user rights could be less impacted than those configured to have administrative user rights. Windows 10's new browser Edge is not affected, yet Windows 10 users still need to patch IE.

Businesses that can't slam on the brakes to deploy the IE patch immediately can use EMET (Enhanced Mitigation Experience Toolkit) to "help make it more difficult for attackers to exploit memory corruption vulnerabilities." Microsoft noted, "EMET can help mitigate attacks that attempt to exploit these vulnerabilities in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer."

"Patch as quickly as possible," advised Qualys CTO Wolfgang Kandek. "Now that the vulnerability is disclosed we expect the attack code to spread widely and get integrated into exploit kits and attack frameworks."

On the acknowledgments page, Microsoft thanked Clement Lecigne of Google for reporting the memory corruption flaw. Unlike some past Microsoft vulnerability disclosures, this one was not publicly revealed. The fact that it is being actively exploited might be "a case where both researchers and underground found it around the same time," Kandek suggested.


Ms. Smith

Zur Startseite