Microsoft has issued a patch for a serious security flaw in Internet Explorer which is being actively exploited by hackers. The zero-day flaw allows hackers carry out what are known as "drive-by download" attacks where the victim's system gets infected without their knowledge, simply by visiting a malicious website.
Microsoft's emergency patch was issued this week outside its typical monthly update - known as Patch Tuesday - which indicates how serious the vulnerability is. The flaw affects all versions of Internet Explorer between IE7 and IE11 - although it doesn't affect the company's new Edge browser which is bundled with Windows 10. The vulnerability was discovered by Google researcher Clement Lecigne.
Describing the critical vulnerability, Microsoft says: "This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user."
Exploited in the wild
While those who use Internet Explorer as their main browser will be most impacted, the company indicated that all Windows users should update their systems as other applications such as Microsoft Office may invoke Internet Explorer components, putting those users at risk.
Researchers at Qualys have revealed that the vulnerability (known as CVE–2015–2502) is already being actively exploited by hackers: "The vulnerability is actively being exploited in the wild. The attack code is hosted on a malicious webpage that you or your users would have to visit in order to get infected."
Wolfgang Kandek, CTO of Qualys, says hackers are using a variety of techniques to increase the number of victims for his zero-day vulnerability. These include hosting the attack code on ad networks so that entirely legitimate websites become infected; manipulating search engine results to make infected websites more prominent; and sending out phishing websites with links to malicious sites.
Kandek warns that Microsoft's disclosure of the vulnerability will escalate the spread of people exploiting the vulnerability rather than limit it: "Now that the vulnerability is disclosed we expect the attack code to spread widely and get integrated into exploit kits and attack frameworks. Patch as quickly as possible."