Microsoft made a surprise, out-of-band release to patch a vulnerability in Internet Explorer (IE) that could result...
in remote code execution.
The bulletin (MS15-093) came one week after Microsoft's August Patch Tuesday release and describes a flaw that affects IE versions 7 through 11. According to Microsoft, the remote code execution flaw is a result of Internet Explorer improperly accessing objects in memory. If an attacker can lure a victim to view a specially crafted website designed to exploit this vulnerability through Internet Explorer, the attacker could then gain the same user rights as the current user.
The bulletin says the vulnerability is rated critical for Windows clients, but only moderate on affected Windows Server versions due to the built-in mitigation from the Enhanced Security Configuration's restricted mode, in which IE runs by default.
Microsoft credits a Google researcher, Clement Lecigne, with finding the flaw. According to experts, the Microsoft security patch should be installed quickly, because the flaw is being actively exploited in the wild.
Learn about the last out-of-band Microsoft security patch released for a Windows zero-day.