Microsoft has corrected zero-day vulnerability in Internet Explorer
The flaw allows an attacker to gain complete control over the target device.
Microsoft has released an update that corrects zero-day vulnerability in Internet Explorer of versions 7-11 (this flaw does not appear to be present in new Microsoft Edge). The Critical Hole CVE-2015-2502 allows an attacker to remotely execute code on the target device.
According to Microsoft, the remote user can use a specially created a web-site to compromise a vulnerable system. The vulnerability is caused due to a memory corruption error when handling certain objects.
Microsoft Security Bulletin MS15-093
Exploitation of the vulnerability allows an attacker to gain the same rights as the device user. If the victim is logged on with administrative privileges, an attacker who successfully exploited this vulnerability has complete control of the affected device. A hacker could install programs, delete data and add new accounts.
Microsoft strongly recommends that you install the update that fixes a critical vulnerability.
Compromise system in Microsoft Internet Explorer: The CVE-2015-2502 memory corruption vulnerability
Risk: Critical
Availability correction: Yes
The number of vulnerabilities: 1
CVE ID: CVE-2015-2502
Vector of operation: Remote
Impact: System Compromise
- Availability of exploit: The Functional Exploit is actively being exploited in the wild
- Affected Products: Microsoft Internet Explorer 7.x, 8.x, 9.x, 10.x, 11.x
- Vulnerable version: Internet Explorer 7, 8, 9, 10, 11
Description:
[CVE-2015-2502] The vulnerability allows a remote user to compromise a vulnerable system.
The vulnerability is caused due to a memory corruption error when handling certain objects. This can be exploited compromise a vulnerable system via a specially crafted web-site.
NOTE: The vulnerability is actively exploited at the moment.
Solution: Install the latest version from the manufacturer.
Manufacturer URL: microsoft.com
Links:
- https://technet.microsoft.com/en-us/library/security/ms15-093
- https://support.microsoft.com/en-us/kb/3087985
- http://www.tripwire.com/state-of-security/vulnerability-management/ie-under-attack-microsoft-releases-emergency-out-of-band-patch/
- https://krebsonsecurity.com/2015/08/microsoft-pushes-emergency-patch-for-ie/
- http://arstechnica.com/security/2015/08/microsoft-issues-emergency-patch-for-critical-ie-bug-under-active-exploit/
Solution: Install the latest version from the manufacturer.
What does that mean? Latest version of what? From what manufacturer? Microsoft? Asus?
MS15-093: Security update for Internet Explorer. This security update resolves a vulnerability in Internet Explorer that could allow remote code execution if a user views a specially crafted webpage by using Internet Explorer.
According to a report from IT security firm Symantec the patched flaw was being used in attacks targeting visitors to the website of the Evangelical Lutheran Church of Hong Kong.
Thank you for the post about the vulnerability in Internet Explorer, you helped me a lot.