GUESS WHAT? Microsoft has released an out-of-band patch for Internet Explorer that should deal with a flaw that is being actively exploited in the wild.
It's a rights issue, according to the Technet post, and allows a hacker to ride compromised websites all the way to a person's computer. This can happen in a number of ways.
"An attacker could host a specially crafted website designed to exploit this vulnerability through IE, and then convince a user to view the website," explained the firm.
The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability.
"In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant message or email that takes them to the attacker's website, or by getting them to open an attachment sent through email."
For those of you who are not already in the installation process, the security industry has a range of guidance for you. The advice, naturally, is to install, cover your bases, and move on and wait for the next one.
"We expect the attack code to spread widely and get integrated into exploit kits and attack frameworks. All companies should patch as quickly as possible. All versions of IE v7-v11 are affected, but users of the new Edge browser on Windows 10 aren't," said Wolfgang Kandek, CTO at Qualys, who suggested that there may have been a race between researchers and exploiters to react to the flaw.
"Microsoft credits a Google researcher, Clement Lecigne, with the find; this is interesting as Google has been more active in the proactive finding of vulnerabilities," he added. "Maybe this was a case where researchers and underground hackers found it at around the same time?"
Lane Thames, software development engineer and security researcher at Tripwire, is with Kandek on this, saying that the problem is part of IE.
"The MS15-093 security update addresses a memory corruption vulnerability (CVE-2015-2502) in IE 7 through IE 11 that could allow remote code execution if a user visits a website hosting specially crafted web pages," he said.
"This memory corruption vulnerability exists because IE does not properly manage certain objects in memory."
Regardless of all this, Microsoft had us at 'critical'. µ
So that's why she's smiling…
How many Zuckbucks to the pound?
Alexa, is this exploitation?