Microsoft finds zero-day flaw found that could let attackers take control of infected PCs
Microsoft has had to release a last-minute emergency patch for Windows that fixes a critical security vulnerability.
The patch, which comes out of sync with the usual monthly patch Tuesday releases, fixes a flaw that leaves users open to a ‘remote code execution’ that gives an attacker the same user rights as the user themselves on an affected machine.
The zero-day flaw, named CVE-2015-2502, is effectively an exploit in Internet Explorer, and affects all versions of Windows.
Microsoft labelled the flaw as “critical”, and affected Internet Explorer versions 7, 8, 9, 10, 11 on Windows clients as well as Windows servers.
However, Microsoft noted that attackers had not yet taken advantage of the vulnerability.
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” said Microsoft. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
Microsoft’s new Edge browser, which was ushered in under Windows 10, is not affected by the flaw.
“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability,” said Microsoft in its advisory statement.
“In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”