Microsoft has issued an emergency patch for Internet Explorer outside of its Patch Tuesday Monthly schedule following a zero-day vulnerability, dubbed CVE-2015-2502. The vulnerability could allow an attacker to hijack control of your computer via Internet Explorer – just by you visiting a boobytrapped webpage.
Lane Thames, Software Development Engineer and Security Researcher at Tripwire gives insight into the vulnerability: “Microsoft has released MS15-093, which is an emergency out-of-band (OOB) patch for Internet Explorer (IE). The MS15-093 security update addresses a memory corruption vulnerability (CVE-2015-2502) within IE7 through IE11 that could allow remote code execution if a user visits a website hosting specially crafted webpages. This memory corruption vulnerability exists because IE does not properly manage certain objects in memory. The vulnerability is rated critical for Windows non-Server operating systems. However, the vulnerability is rated moderate for Windows Server platforms including Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Customers should note that the new “Edge” browser is not affected by this emergency security bulletin.”