Security

Microsoft drops rush Internet Explorer fix for remote code exec hole

IE 7 through 11 needs a big band-aid, fast, especially workstations, terminal servers

By Darren Pauli

18 SHARE

Microsoft has released an out-of-band patch for Internet Explorer versions 7 through 11, to close a dangerous remote code execution flaw allowing attackers to commandeer machines.

The attack will be a highly useful tool in hacker arsenals likely allowing them to build powerful phishing, watering hole, and malvertising campaigns.

Redmond's new Edge browser is not impacted.

"The vulnerability (CVE-2015-2502) could allow remote code execution if a user views a specially crafted webpage using Internet Explorer, Microsoft says in an advisory .

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability."

The flaw is rated critical for all affected versions of the default Windows web browser, and moderate for instances running on Windows server.

There are no workarounds for the hole meaning admins must apply the fix. Microsoft's popular Enhanced Mitigation Experience Toolkit defence tool and the default Enhanced Security Configuration for Windows servers can help to raise the bar to exploitation.

Google security bod Clement Lecign is credited with the vulnerability discovery.

The SANS Institute recommends immediate testing and patching.

Windows Update should be spewing the update as you read this line of text. ®

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

No do-overs! Appeals court won’t hear $8.8bn Oracle v Google rehash

Only thing left now is a Supreme Court bid in row over Android and Java copyright

Oracle tells tales about Google data slurps to Australian regulator

At an inquiry into news and ads, of all things. Is Big Red playing a deeper game?

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Google skewered in ad sting after Oracle-backed bods turn troll

Search giant complains of misrepresentation, database titan raises an eyebrow

French drone bods Parrot wheel out 'prosumer' division

If you can afford to spend $5k on a camera drone, they want to be your go-to folk

Malware on Google Play

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Facebook, Google, Microsoft, Twitter make it easier to download your info and upload to, er, Facebook, Google, Microsoft, Twitter etc...

GDPR put a gun to their heads

Google Play Protect is 'dead last' at fingering malware on Android

Don't expect ads giant to stop all software nasties for you – it certainly can't

Google and Microsoft boffins playing nicely together to stop replay attacks in their tracks

Internet Engineering Task Force doc examines how to better protect authentication tokens