Microsoft has released a critical out-of-band security update on Tuesday to fix a zero-day vulnerability in its Internet Explorer. The company says that all compatible versions of Internet Explorer need to be patched with immediate effect as the remote code execution flaw is apparently being exploited in the wild.
The vulnerability, which was discovered by security researcher Clement Lecigne, affects all versions of the Internet Explorer ranging from IE 7 to IE 11 currently on the market. The company has issued a patch named MS15-093 to address the vulnerability by altering the way IE handles objects in the system memory.
Regarding the security flaw codenamed CVE-2015-2502, the company says that a remote code execution vulnerability exits when IE improperly tries to access objects in the memory. This could eventually corrupt memory in such a manner that that a hacker can execute an arbitrary code in the context of the current user.
Apparently, Windows accounts that were setup to have limited user rights will likely have a lesser impact as opposed to those with administrative user rights. Hence, business users can fix the vulnerability by deploying the EMET (Enhanced Mitigation Experience Toolkit) as it’ll make it more difficult for hackers to exploit memory corruption vulnerabilities, says Microsoft.
The company further explains that EMET can help mitigate attacks that are driven towards exploiting these loopholes in Internet Explorer as it can be installed and configured to work with Internet Explorer. However, the vulnerability does not affect the company’s new Edge browser bundled with the Windows 10, though users are still advised to patch the Internet Explorer in Windows 10 too.
The patch has now been made available via Windows Update, though the company insists users to upgrade to Windows 10 and switch over to the new Edge browser, as it comes with enhanced security features along with a new engine. Users who still use Internet Explorer and are facing issues fixing the patch right now, are strongly advised to refrain from clicking on links that come from unknown and unsecured sources as they have the potential to harm a user’s computer in one way or the other.
Meanwhile, Microsoft expressed their gratitude for Lecigne on its acknowledgements page for pointing out the memory corruption flaw. Notably, unlike some of the company’s vulnerabilities disclosed in the past, the one mentioned above was not publicly announced, which can be attributed to the fact that the flaw is being actively exploited.