SecuritySecurity Management

Microsoft Releases Emergency Internet Explorer Patch

Ben covers web and technology giants such as Google, Amazon, and Microsoft and their impact on the cloud computing industry, whilst also writing about data centre players and their increasing importance in Europe. He also covers future technologies such as drones, aerospace, science, and the effect of technology on the environment.

Follow on:

Microsoft finds zero-day flaw found that could let attackers take control of infected PCs

Microsoft has had to release a last-minute emergency patch for Windows that fixes a critical security vulnerability.

The patch, which comes out of sync with the usual monthly patch Tuesday releases, fixes a flaw that leaves users open to a ‘remote code execution’ that gives an attacker the same user rights as the user themselves on an affected machine.

Internet Explorer

microsoftThe zero-day flaw, named CVE-2015-2502, is effectively an exploit in Internet Explorer, and affects all versions of Windows.

Microsoft labelled the flaw as “critical”, and affected Internet Explorer versions 7, 8, 9, 10, 11 on Windows clients as well as Windows servers.

However, Microsoft noted that attackers had not yet taken advantage of the vulnerability.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” said Microsoft. “Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”

Microsoft’s new Edge browser, which was ushered in under Windows 10, is not affected by the flaw.

“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability,” said Microsoft in its advisory statement.

“In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”

Take our hacking and viruses quiz here!