Microsoft released a security update on Tuesday for Internet Explorer 7 through Internet Explorer 11 that addresses a critical memory corruption vulnerability - CVE-2015-2502 - that can be exploited by an attacker to enable remote code execution.
The vulnerability, which is being actively targeted in the wild, could be exploited by luring an Internet Explorer user to a specially crafted website, or by adding specially crafted content to compromised websites or websites that host user content or advertisements, a security bulletin said.
“[On Tuesday], Microsoft released [a security bulletin] to further protect customer devices from security vulnerabilities affecting Internet Explorer,” a Microsoft spokesperson told SCMagazine.com in a Tuesday email correspondence. “Microsoft Edge was not affected. Customers who have Windows Update enabled and applied the August Security Updates, are protected automatically.”
Bobby Kuzma, systems engineer with Core Security, encouraged all users to update immediately.
In a statement emailed to SCMagazine.com on Tuesday, Kuzma explained that exploitation of the vulnerability takes advantage of an issue involving object storage in memory, resulting in a corruption that could allow for the remote code execution.
“This could allow the malicious code to run with whatever rights the currently logged in user has, and could be combined with other vulnerabilities to elevate to administrator privileges,” Kuzma said. “Some of the attack vectors include web sites and HTML emails and worse, it's being actively exploited in the wild.”