Microsoft today released an emergency software update to plug a critical security flaw in all supported versions of its Internet Explorer browser, from IE7 to IE 11 (this flaw does not appear to be present in Microsoft Edge, the new browser from Redmond and intended to replace IE).
According to the advisory that accompanies the patch, this a browse-and-get-owned vulnerability, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site. Windows users should install the patch whether or not they use IE as their main browser, as IE components can be invoked from a variety of applications, such as Microsoft Office. The emergency patch is available via Windows Update or from Microsoft’s Web site.
Microsoft’s advisory does not say whether this flaw is actively being exploited by attackers, but security experts at vulnerability management firm Qualys say it’s already happening.
“The vulnerability (CVE-2015-2502) is actively being exploited in the wild,” wrote Wolfgang Kandek, chief technology officer at Qualys, in a blog post about the update. “The attack code is hosted on a malicious webpage that you or your users would have to visit in order to get infected.”
According to Qualys, attackers are using a number of mechanisms to increase their target reach and lure users to the webpage including:
- hosting the exploit on ad networks, which are then used by entirely legitimate websites
- gaining control over legitimate websites, say blogs, by exploiting vulnerabilities in the blogging server software or simply weak credentials
- setting up specific websites for the attack and manipulating search engine results
- send you a link to the site by e-mail or other messaging programs
“Now that the vulnerability is disclosed we expect the attack code to spread widely and get integrated into exploit kits and attack frameworks,” Kandek wrote. “Patch as quickly as possible.”
The patch comes just one week after the company released a slew of IE updates and other fixes for security flaws in Windows and Windows components as part of its regular Patch Tuesday monthly patch cycle (the second Tuesday of each month). The advisory credits a Google employee with reporting the vulnerability.
Update, 6:10 p.m. ET: Added comments from Qualys.