Microsoft has issued a patch for a serious security flaw in Internet Explorer which is being actively exploited by hackers. The zero-day flaw — known as CVE–2015–2502 — allows hackers carry out what are known as “drive-by download” attacks where the victim’s system gets infected without their knowledge, simply by visiting a malicious website.
The flaw affects all versions of Internet Explorer between IE7 and IE11 – although it doesn’t affect the company’s new Edge browser which is bundled with Windows 10. The vulnerability was discovered by Google researcher Clement Lecigne. Microsoft’s emergency patch was issued this week outside its typical monthly update – known as Patch Tuesday – which indicates how serious the vulnerability is.
Describing the critical vulnerability, Microsoft says: “This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.”
Exploited in the wild
While those who use Internet Explorer as their main browser will be most impacted, the company indicated that all Windows users should update their systems as other applications such as Microsoft Office may invoke Internet Explorer components, putting those users at risk.
Researchers at Qualys have revealed that the vulnerability (known as CVE–2015–2502) is already being actively exploited by hackers: “The vulnerability is actively being exploited in the wild. The attack code is hosted on a malicious webpage that you or your users would have to visit in order to get infected.”