Microsoft today released an emergency patch for all supported versions of Internet Explorer, including IE 11 running on the recently released Windows 10.
Microsoft said in its advisory that the zero-day is being publicly exploited. Google security engineer Clement Lecigne is credited with reporting the issue. A request for comment to Lecigne was not returned in time for publication.
The vulnerability, CVE-2015-2502, enables remote code execution, Microsoft said in bulletin MS15-093.
“This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” Microsoft said, adding that a successful exploit would enable a hacker to install additional malicious programs, modify data on the compromised system or create new accounts.
“The update addresses the vulnerability by modifying how Internet Explorer handles objects in memory,” the advisory said.
Microsoft said that its Enhanced Mitigation Experience Toolkit, EMET, does mitigate attacks against this vulnerability as a temporary stopgap until patches are tested and deployed.
This is the second out-of-band patch from Microsoft in less than a month. On July 20, the company released a security bulletin that patched a vulnerability in Windows Adobe Type Manager Library and the way it handled OpenType fonts. Unlike today’s bulletin, MS15-078 was publicly disclosed but had not yet been exploited prior to the release of the patch.
Despite the recent run of emergency updates, Microsoft has been relatively quiet on this front, relying instead on EMET as a mitigation for zero day vulnerabilities used in a number of targeted attacks until a patch was ready for release.
Today’s patch is also the second for IE on Windows 10. Last Tuesday, Microsoft’s scheduled Patch Tuesday security updates included a cumulative update for IE that included patches for Microsoft Edge, IE’s successor on Windows 10. The bulletin also included a patch for IE for a publicly disclosed vulnerability