Microsoft has been forced to release an out-of-band security update for a critical remote code execution vulnerability in Internet Explorer being actively exploited in the wild.
Redmond claimed in an advisory that the flaw could be exploited by a specially crafted web page viewed through IE versions 7-11 inclusive.
It added:
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
The flaw, CVE-2015-2502, is rated critical on Windows clients for Vista, Win7, Win8, 8.1, and Windows 10, and moderate on Windows Server 2008, 2012, 2012 R2 and the Windows Server Technical Preview.
Although new browser Edge isn’t affected, Windows 10 is listed because the new OS also features Internet Explorer.
The RCE flaw exists when IE improperly accesses an object in memory. The vulnerability could corrupt memory, allowing an attacker to execute arbitrary code, Microsoft said.
The attacker would also have to trick a user into visiting a malicious web page, typically by clicking on a link.
Microsoft added:
“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.”
The update fixes the issue by modifying how IE handles objects in memory.
“Some of the attack vectors include web sites and HTML emails and worse, it’s being actively exploited in the wild,” commented Core Security systems engineer, Bobby Kuzma.
“I strongly urge everyone to push this patch as soon as possible, subject to testing requirements.”