Microsoft has issued an emergency patch for Internet Explorer outside of its Patch Tuesday Monthly schedule following a zero-day vulnerability, dubbed CVE-2015-2502. The vulnerability could allow an attacker to hijack control of your computer via Internet Explorer – just by you visiting a boobytrapped webpage. Lane Thames, Software Development Engineer and Security Researcher at Tripwire gives insight into the vulnerability.
[su_note note_color=”#ffffcc” text_color=”#00000″]Lane Thames, Software Development Engineer and Security Researcher at Tripwire
“Microsoft has released MS15-093, which is an emergency out-of-band (OOB) patch for Internet Explorer (IE). The MS15-093 security update addresses a memory corruption vulnerability (CVE-2015-2502) within IE7 through IE11 that could allow remote code execution if a user visits a website hosting specially crafted webpages. This memory corruption vulnerability exists because IE does not properly manage certain objects in memory. The vulnerability is rated critical for Windows non-Server operating systems. However, the vulnerability is rated moderate for Windows Server platforms including Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. Customers should note that the new “Edge” browser is not affected by this emergency security bulletin.”[/su_note][su_box title=”About Tripwire” style=”noise” box_color=”#336588″]
Tripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.