Microsoft today released an emergency software update to plug a critical security flaw in all supported versions of its Internet Explorer browser, from IE7 to IE 11 (this flaw does not appear to be present in Microsoft Edge, the new browser from Redmond and intended to replace IE).
According to the advisory that accompanies the patch, this a browse-and-get-owned vulnerability, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site. Windows users should install the patch whether or not they use IE as their main browser, as IE components can be invoked from a variety of applications, such as Microsoft Office. The emergency patch is available via Windows Update or from Microsoft’s Web site.
Microsoft’s advisory does not say whether this flaw is actively being exploited by attackers, but security experts at vulnerability management firm Qualys say it’s already happening.
“The vulnerability (CVE-2015-2502) is actively being exploited in the wild,” wrote Wolfgang Kandek, chief technology officer at Qualys, in a blog post about the update. “The attack code is hosted on a malicious webpage that you or your users would have to visit in order to get infected.” Continue reading →