Microsoft issues critical out-of-band patch for flaw affecting all Windows versions
When Microsoft issue a patch outside of its normal Patch Tuesday monthly schedule, you should sit up and listen.
Microsoft has issued an advisory about a zero-day vulnerability,CVE-2015-2502, that could allow an attacker to hijack control of your computer via Internet Explorer – just by you visiting a boobytrapped webpage.
As of now, Microsoft’s new browser, Edge, which comes with Windows 10, is not affected by the vulnerability.
In its advisory, Microsoft warns that vulnerable computers can be exploited just by visiting maliciously-crafted webpages using Internet Explorer, with no further user interaction is required.
Microsoft’s advisory states:
“An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”
Once a computer has been successfully compromised, the attacker would have the same user rights as the current user – meaning that if you are logged in with admin rights, the hacker could take complete control of your PC. Thereafter, it would be simple for the attacker to install further malware, steal information, and make other changes to your settings to compromise security.