Microsoft has released a ‘critical’ security patch for all versions of Internet Explorer after the discovery of a major vulnerability that could allow hackers to remotely attack Windows systems.
The out-of-band patch, designated MS15-093, is marked ‘critical’ for IE 7 to IE 11 and Windows 7, 8, 8.1, 10 and Vista. The fix also covers Windows Server 2008, 2012 and Windows Server Technical Preview.
The new Edge browser is unaffected by the vulnerability, but Windows 10 has IE installed as standard so users of the new operating system will still need to update.
The update addresses the flaw by modifying how IE handles objects in memory. An advisory bulletin explains how the exploit can give an attacker full control of a system.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system,” the advisory said.
“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where IE is used frequently, such as workstations or terminal servers, are most at risk from this vulnerability.”
Microsoft explained that hackers will attempt to direct an unsuspecting user to a malicious website via emails or instant messages.
“An attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant message or email that takes them to the attacker’s website, or by getting them to open an attachment sent through email,” said the advisory.
Wolfgang Kandek, chief technical officer at cloud security firm Qualys, warned that the zero-day vulnerability can now be used by hackers in the wild to attack unpatched systems.
“We expect the attack code to spread widely and get integrated into exploit kits and attack frameworks – all companies should patch as quickly as possible,” he added.
Google intrusion analyst Clement Lecigne is credited with helping to find the flaw.
This is the second Microsoft out-of-band patch in the past two months. A security fix released in July patched a critical flaw in the way in which Windows Adobe Type Manager Library handled OpenType fonts.