Today, August 18th, 2015, Microsoft released an emergency patch after being notified of a critical vulnerability in all supported versions of Internet Explorer. All versions of Microsoft Internet Explorer from IE7 to IE11 are affected by this zero-day vulnerability.
The vulnerability, referenced by CVE as CVE-2015-2502 or by Microsoft as MS15-093, has been described by Brian Krebsas a “browse-and-get-owned” vulnerability. What this means is that this zero-day vulnerability is essentially exploited in “drive-by” fashion; no user intervention other than browsing a malicious web page will result in the infection of users utilizing vulnerable versions of IE.
A vulnerability of this criticality level, with a delivery mechanism that requires no more than a simple click or re-direct has the capability of causing a very large quantity of damage.
The zero-day flaw is Actively Being Exploited In-the-Wild
According to Qualys‘ CTO Wolfgang Kandek, this vulnerability is currently being exploited in-the-wild. The delivery mechanisms utilized by threat actors looking to exploit this vulnerability and their methods of increasing their damaging potential can be inferred based on past vulnerability disclosures, however, Qualys has stated that the following methods are being utilized by attackers to carry out these two goals:
As we have observed in the past with the somewhat recent release of several zero-day vulnerabilities in popular software (e.g. Adobe Flash Player), it is only a matter of time before exploit kit integration begins. We should expect to see this vulnerability integrated in top exploit kits very soon; I would be surprised if some of the top players do not integrate this vulnerability into their arsenal within the next 24 hours.
Additionally, even if you do not use Microsoft Internet Explorer, it is recommended that you update the version of IE installed on your (Windows) device.
“Windows users should install the patch whether or not they use IE as their main browser, as IE components can be invoked from a variety of applications, such as Microsoft Office.” – Brian Krebs
Note: Windows 10’s Edge browser is not affected by this vulnerability.
Where to Retrieve the Emergency Patch
The emergency patch can be downloaded and install both via Windows Update as well as from Microsoft’s website.
Brian Krebs for his fast reporting (as always)
Qualys for reporting on this vulnerability and patch release as well as their research
About the Author Michael Fratello
Edited by Pierluigi Paganini
(Security Affairs – Zero-Day, Microsoft)