Emergency Zero-Day Internet Explorer Security Fix Released
Microsoft released an out-of-band update for all supported versions of Internet Explorer today after active attacks using the hole have been seen in the wild.
According to Microsoft, bulletin MS15-093 is rated "critical" for all versions of the company's Web browser on all Windows OS versions, and rated "important" on all supported Windows Server versions.
The bulletin takes care of one memory corruption issue that could lead to a remote code execution (RCE) attack. Microsoft said that the vulnerability could be used to run arbitrary code on a targeted system if an attacker "hosts a specially crafted websit that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability."
Today's fix modifies the way that Internet Explorer handles objects in memory to close the security hole. It is recommended that this bulletin be applied as soon as possible. Microsoft rarely releases out-of-band patches, and the urgent nature could suggest that more attacks may be on their way, said Qualys CTO Wolfgang Kandek.
"Now that the vulnerability is disclosed we expect the attack code to spread widely and get integrated into exploit kits and attack frameworks," said Kandek in an e-mailed comment. "Patch as quickly as possible."
Those running Windows 10 or earlier OS versions with automatic updates will have the fix pushed through to them. For those that prefer to download and apply it themselves, the patch can found on the bulletin summary page.
Today's security update comes just one week after Microsoft released its scheduled August patch, which included a cumulative update for all versions of Internet Explorer. It's unclear why Microsoft didn't include today's update with last week's rollout.
Microsoft acknowledged security researcher Clement Lecigne at Google for the discovery and disclosure of the memory corruption flaw.