Microsoft issues emergency patch for IE flaw exploited in the wild

Microsoft has pushed out an emergency out-of-band Internet Explorer update, which fixes a critical memory corruption vulnerability (CVE-2015-2502) that is being actively exploited in attacks in the wild.

“All version of Internet Explorer v7-v11 are affected. Users of the new Edge Browser on Windows 10 are not affected,” says Qualys CTO Wolfgang Kandek.

“This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft explained in the security advisory accompanying the patch.

If the user is logged on with administrative user rights, this means that the attacker could take complete control of the target system.

Attackers can take advantage of the flaw by including the exploit in a site crafted by them or a site they managed to compromise, and then sending out links to the site via email or instant messages. They can also misuse ad networks to deliver ads that contain the exploit to random users, or send out specially crafted HTML attachments via email.

Microsoft credits Clement Lecigne of Google for the discovery of the vulnerability, but apparently malicious attackers did so as well, as confirmed by Kandek.

“Now that the vulnerability is disclosed we expect the attack code to spread widely and get integrated into exploit kits and attack frameworks,” he noted, and advised users to patch as quickly as possible.

In order to avoid performance degradation, Microsoft advises users to first install the latest cumulative IE update, which was released of August 11, and then apply the patch.

If for some reason users can’t apply the patch, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) configured to work with Internet Explorer (it is by default) is apparently able to block the known exploit.