Microsoft drops rush Internet Explorer fix for remote code exec hole

IE 7 through 11 needs a big band-aid, fast, especially workstations, terminal servers

By Darren Pauli

Posted in Security, 19th August 2015 00:51 GMT

Microsoft has released an out-of-band patch for Internet Explorer versions 7 through 11, to close a dangerous remote code execution flaw allowing attackers to commandeer machines.

The attack will be a highly useful tool in hacker arsenals likely allowing them to build powerful phishing, watering hole, and malvertising campaigns.

Redmond's new Edge browser is not impacted.

"The vulnerability (CVE-2015-2502) could allow remote code execution if a user views a specially crafted webpage using Internet Explorer, Microsoft says in an advisory .

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability."

The flaw is rated critical for all affected versions of the default Windows web browser, and moderate for instances running on Windows server.

There are no workarounds for the hole meaning admins must apply the fix. Microsoft's popular Enhanced Mitigation Experience Toolkit defence tool and the default Enhanced Security Configuration for Windows servers can help to raise the bar to exploitation.

Google security bod Clement Lecign is credited with the vulnerability discovery.

The SANS Institute recommends immediate testing and patching.

Windows Update should be spewing the update as you read this line of text. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Oracle tells tales about Google data slurps to Australian regulator

At an inquiry into news and ads, of all things. Is Big Red playing a deeper game?

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

French drone bods Parrot wheel out 'prosumer' division

If you can afford to spend $5k on a camera drone, they want to be your go-to folk

Malware on Google Play

Google Play Protect is 'dead last' at fingering malware on Android

Don't expect ads giant to stop all software nasties for you – it certainly can't

Microsoft patched more Malware Protection Engine bugs last week

Redmond's out-of-band advisory landed after the bugs were fixed

Banking trojan-slingers slip past Google Play's malware defences

BankBot nestled within allegedly 'fun' mobile game

Happy as Larry: Why Oracle won the Google Java Android case

Comment Get a licence or build something new. It's really that simple

Java-aaaargh! Google faces $9bn copyright bill after Oracle scores 'fair use' court appeal win

You thought this was over? You thought wrong, laughs Larry

Hurry up patching those Oracle bugs: Attackers aren't waiting

Honeypots swarmed on within three hours of patch release