CVE-2015-2502 Microsoft issues emergency patch for all versions of Windows
This is the second “critical” out-of-band patch issued in as many months.
It’s all Internet Explorer’s fault — again.
Microsoft has released an emergency out-of-band patch for a “critical”-rated security vulnerability, affecting all supported versions of Windows. The software giant said in an advisory Tuesday that users visiting a specially-crafted website can lead to remote code execution on an affected machine. The zero-day flaw (classified as CVE-2015-2502) works by exploiting a flaw in how Internet Explorer handles objects in memory. If successfully exploited, an attacker could “gain the same user rights as the current user,” the advisory said. Those running administrator accounts are particularly at risk, it said.
Simply put: this flaw could allow an affected Windows machine to be taken over by an attacker.
It does not appear that the vulnerability is currently being exploited by hackers.
Microsoft’s new Edge browser, which lands in Windows 10, is not affected by the vulnerability. The patch is available over Windows Update or through Microsoft’s website.
Google security researcher Clement Lecigne was credited with finding the flaw.
This latest critical patch comes a week after the company’s scheduled monthly roundup of security fixes were released to customers.
Whether or not, however, this sets a trend for Microsoft remains to be seen. This is the second month in a row the company has issued an out-of-band update.
Last month, just days after its usual monthly round of security updates, the software giant released an out-of-band patch for a critical flaw that, if exploited, could allow a hacker to effectively take over an affected machine.
A Microsoft spokesperson said in a statement: “Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible.”
“We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Today, Microsoft released Security Bulletin MS15-093 to further protect customer devices from security vulnerabilities affecting Internet Explorer. Microsoft Edge was not affected. Customers who have Windows Update enabled and applied the August Security Updates, are protected automatically,” the spokesperson added.