Less than 10 days after Microsoft released an out-of-band (unscheduled, emergency) security update to patch critical vulnerabilities in a number of products, the company on Tuesday rolled out another out-of-schedule security update. The update centres on fixing a vulnerability in Internet Explorer and has been flagged as 'critical' by Microsoft.
Microsoft noted a vulnerability in its Internet Explorer browser in an advisory posted on Tuesday. The vulnerability, if exploited, allows an attacker to remotely execute codes via a specially-crafted website. The flaw, which has been categorised by the company as "zero-day," targets the way Internet Explorer handles objects in memory.
"This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user," wrote Microsoft in a blog post. "Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights."
The vulnerability affects Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11 (also on Windows Server systems) - which essentially means that users on from Windows XP to higher versions are affected. Microsoft said that the Edge browser, which debuted in Windows 10, doesn't have the said vulnerability.
The comforting part of the news is that no user has been reported to be a target of the vulnerability as of now. The patch is available to download via Windows Update, as well as through Microsoft's website. Microsoft credited Google researcher Clement Lecigne for finding the flaw.
It is worth noting that Tuesday night's update is the third out-of-band security update sent by Microsoft in 2015. The company released another emergency update on August 11 which offered security patches for a number of Microsoft products.