Microsoft forced to release out-of-band patch to fix IE

Internet Explorer vulnerability could allow hackers to take control of victim's PC

IE browser XSS flaw opens door to thieves and phishers
IE browser XSS flaw opens door to thieves and phishers

Microsoft has been forced to release a patch outside of its normal Patch Tuesday cadence in order to fix a problem that could allow criminals to remotely execute code on a user's PC and take control of it.

The flaw affects all versions of Internet Explorer from 7 to 11 on Windows from Vista onwards. Windows Server 2008, 2012, 2012 R2 and the Windows Server Technical Preview are all affected by the flaw but IE running in its Enhanced Security Configuration" should mitigate the problem there. Microsoft has reported that this vulnerability is being actively exploited. Microsoft's new browser, Edge, is not affected by the flaw.

According to a posting on the firm's Technet website, the flaw could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights,” the firm said in a statement.

On desktops, the vulnerability is rated as critical, while on server OSs it is moderate.

Lane Thames, software development engineer and security researcher at cyber-security firm Tripwire, said: “This memory corruption vulnerability exists because IE does not properly manage certain objects in memory.”

In a Tripwire blog post, security expert Graham Cluley said: “Once a computer has been successfully compromised, the attacker would have the same user rights as the current user – meaning that if you are logged in with admin rights, the hacker could take complete control of your PC.”

Mark Osborn, senior security consultant at MWR InfoSecurity, told SCMagazineUK.com that organisations would have to have a very good reason not to install this update. “The patch has been rushed out as an emergency fix, and Microsoft themselves have labelled it as 'Critical' for almost all affected browser/OS combinations,” he said.

Osborn added that it is not hard to see why CVE-2015-2502 is a problem, as the exploit requires no user interaction at all, it is simply a 'browse and get owned' vulnerability. “This kind of bug represents very high value to the cyber-crime community as long as users remain exposed, so expect to see it being adopted by the common Exploit Kits very quickly - eg Angler, Nuclear, Rig.”

“It would not be surprising to see a new wave of ransomware being distributed over the next few days off the back of this one. Some vendors are already reporting attacks, so the time to patch is now,” he said.

Wolfgang Kandek, CTO at Qualys, told SCMagazineUK.com that he expected the attack code to “spread widely and get integrated into exploit kits and attack frameworks - all companies should patch as quickly as possible.”

“Microsoft credits a Google researcher, Clement Lecigne, with the find; this is interesting as Google has been more active in the proactive finding of vulnerabilities - maybe this was a case where both researchers and underground hackers found it around the same time?” he said.

Gavin Reid, vice president of threat intelligence at Lancope, told SCMagazineUK.com that organisations should “always have a tiered approach to patching to validate the patch does not introduce new issues. That being said this should be patched immediately and not wait on a normal preventative maintenance cycle.”

Simon Crosby, co-founder and CTO at Bromium, told SCMagazineUK.com that the browser is the most complex application on any endpoint, and unfortunately it is also one of the primary attack vectors because it accesses the untrusted web.  

“Users should recognise that there is no easy way out – that even patching does not solve the problem.  Attackers only need to know about one exploit to be able to compromise the endpoint and breach the enterprise,” he said.

Carl Leonard, principal security analyst at Raytheon Websense Security Labs, said that businesses should consider deploying an alternative browser if they deem that appropriate.  “Microsoft's Enhanced Mitigation Experience Toolkit (EMET) can help end-users mitigate against memory corruption attacks such as this. Consideration should be given to that technology,” he told SCMagazineUK.com.