Emergency Zero-Day Internet Explorer Security Fix Released

Microsoft released an out-of-band update for all supported versions of Internet Explorer today after active attacks using the hole have been seen in the wild.

According to Microsoft, bulletin MS15-093 is rated "critical" for all versions of the company's Web browser on all Windows OS versions, and rated "important" on all supported Windows Server versions.

The bulletin takes care of one memory corruption issue that could lead to a remote code execution (RCE) attack. Microsoft said that the vulnerability could be used to run arbitrary code on a targeted system if an attacker "hosts a specially crafted websit that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability."

Today's fix modifies the way that Internet Explorer handles objects in memory to close the security hole. It is recommended that this bulletin be applied as soon as possible. Microsoft rarely releases out-of-band patches, and the urgent nature could suggest that more attacks may be on their way, said Qualys CTO Wolfgang Kandek.

"Now that the vulnerability is disclosed we expect the attack code to spread widely and get integrated into exploit kits and attack frameworks," said Kandek in an e-mailed comment. "Patch as quickly as possible."

Those running Windows 10 or earlier OS versions with automatic updates will have the fix pushed through to them. For those that prefer to download and apply it themselves, the patch can found on the bulletin summary page.

Today's security update comes just one week after Microsoft released its scheduled August patch, which included a cumulative update for all versions of Internet Explorer. It's unclear why Microsoft didn't include today's update with last week's rollout.

Microsoft acknowledged security researcher Clement Lecigne at Google for the discovery and disclosure of the memory corruption flaw.

About the Author

Chris Paoli is the site producer for and


  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus