pixel_dreams - Fotolia

Microsoft issues emergency security patch for IE browser flaw

Microsoft warns that a remote execution zero-day memory handling vulnerabilty in Internet Explorer versions 7 to 11 can enable attackers to take control of computers

Microsoft has issued an emergency security patch for a newly detected critical zero-day vulnerability in the Internet Explorer (IE) web browser.

The remote code execution vulnerability, which Microsoft said is already exploited in the wild, affects IE7 to 11 on client and server operating systems.

Microsoft Edge, the default Windows 10 web browser, is not influenced by the vulnerability, which exists when affected versions of IE “improperly access objects in memory”.

According to Microsoft’s security bulletin, the IE vulnerability is rated critical for all client operating systems and moderate for all server operating systems.

Microsoft has released security updates for all affected and supported versions of Windows. These patches are available through Windows Update and Microsoft’s Download Center.

“The security update addresses the vulnerability (CVE-2015-2502) by modifying how Internet Explorer handles objects in memory,” Microsoft said.

The update is listed as a “cumulative update for Windows 10 (KB3081444)” and listed with the code KB3087985 on previous versions of Windows.

The update KB3078071 is a prerequisite for that update on Windows 8.1 and 7 and Windows Server 2008 R2 and 2012 R2.

Attackers can create web pages, HTML emails or web ads that exploit the vulnerability. No user interaction is required.

Successful exploitation of the flaw could give attackers the same rights as the current user on the system. Removing administrative rights from users would limit the impact of any exploit.

If the logged-in user has administrative rights, a complete takeover of the system is possible as it would allow the attacker to do things like modify system settings, create or modify user accounts and install or remove software.

According to Microsoft, its Enhanced Mitigation Experience Toolkit (Emet), helps mitigate the attack if it is configured correctly to work with IE.

Microsoft said it recognises the efforts of those in the security community who help the company protect customers through co-ordinated vulnerability disclosure, naming Google researcher Clement Lecigne in connection with the IE memory corruption vulnerability.

Not all businesses will be able or willing to roll out an IE security patch instantaneously across its enterprise, said independent security consultant Graham Cluley.

“Microsoft customers will no doubt be pleased to hear Emet mitigates against the vulnerability, although – of course – this should only be considered a temporary measure and a proper security patch is what is ideally required,” he wrote in a blog post.

Cluley notes this is far from the first occasion when Emet has provided an additional level of defence for an organisation. “It’s a shame so few companies appear to be aware of this powerful tool,” he said.

According to Cluley, the secret to protecting a business is to adopt a layer defence, using a variety of technologies. “After all, there’s no indication zero-day vulnerabilities are drying up,” he said.

This is the second emergency patch released in the past couple of weeks. Microsoft released the bulletin MS15-078 on 20 July for all supported operating systems that addresses a critical vulnerability in Microsoft Font Driver.

Read more about IE security

Read more on Hackers and cybercrime prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Microsoft's emergency repairs are no longer news; they're more of a regular, ongoing knee-jerk response. We've paid them vast fortunes, we've build our businesses on their assurances.

Of course software is fragile, of course this is a tough problem to get right, but they certainly have enough resources to invest in a real fix instead of their weekly oops there, mea culpa;
“If the logged-in user has administrative rights, a complete takeover of the system is possible as it would allow the attacker to do things like modify system settings, create or modify user accounts and install or remove software.” This is a primary reason as to why, as part of our cyber security initiative, we are reassessing the need for users to have administrative rights on their company machines. It may seem unnecessarily restrictive to those users that are accustomed to having administrative rights, but it can help turn a zero-day vulnerability into something less critical, thereby helping maintain priorities.
With the end-of-life happening today, for all their browsers but IE11, it should not be an issue when you upgrade to their recommendation. Some applications might not work under IE11 but that will be the price we pay for legacy code.You do have options, you another browser or play the odds and hope nothing happens.