Security

Microsoft drops rush Internet Explorer fix for remote code exec hole

IE 7 through 11 needs a big band-aid, fast, especially workstations, terminal servers

By Darren Pauli

18 SHARE

Microsoft has released an out-of-band patch for Internet Explorer versions 7 through 11, to close a dangerous remote code execution flaw allowing attackers to commandeer machines.

The attack will be a highly useful tool in hacker arsenals likely allowing them to build powerful phishing, watering hole, and malvertising campaigns.

Redmond's new Edge browser is not impacted.

"The vulnerability (CVE-2015-2502) could allow remote code execution if a user views a specially crafted webpage using Internet Explorer, Microsoft says in an advisory .

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability."

The flaw is rated critical for all affected versions of the default Windows web browser, and moderate for instances running on Windows server.

There are no workarounds for the hole meaning admins must apply the fix. Microsoft's popular Enhanced Mitigation Experience Toolkit defence tool and the default Enhanced Security Configuration for Windows servers can help to raise the bar to exploitation.

Google security bod Clement Lecign is credited with the vulnerability discovery.

The SANS Institute recommends immediate testing and patching.

Windows Update should be spewing the update as you read this line of text. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

Prez Trump to host chinwag with Google, Microsoft, Oracle and Qualcomm – report

And Sundar Pichai heads to grilling on Chocolate Factory's data slurping

No do-overs! Appeals court won’t hear $8.8bn Oracle v Google rehash

Only thing left now is a Supreme Court bid in row over Android and Java copyright

Oracle tells tales about Google data slurps to Australian regulator

At an inquiry into news and ads, of all things. Is Big Red playing a deeper game?

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Google skewered in ad sting after Oracle-backed bods turn troll

Search giant complains of misrepresentation, database titan raises an eyebrow

French drone bods Parrot wheel out 'prosumer' division

If you can afford to spend $5k on a camera drone, they want to be your go-to folk

Windows 10 or Cisco Advanced Malware Protection: Pick one

Redmond warns that the malware tool doesn't play nice with the latest upgrade

Malware on Google Play

Hadoop coop thrown for loop by malware snoop n' scoop troop? Oh poop

Attacks on distributed frameworks on the rise, it is claimed by infosec biz