Microsoft issued an emergency out-of-band security update on Tuesday to address a zero-day vulnerability in Internet Explorer. All supported versions of Internet Explorer need to be patched as the remote code execution vulnerability is actively being exploited in the wild. While some publications have reported the hole is not being exploited, Microsoft listed "yes" under "exploited."
MS15-093 is rated critical for Internet Explorer 7 to 11, which happen to be all supported versions of IE on Windows clients; it's rated moderate for Windows servers. The patch addresses the vulnerability by modifying how IE handles objects in memory.
Regarding the vulnerability CVE-2015-2502, Microsoft wrote:
A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker's website, or by getting them to open an attachment sent through email.
An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability.
Windows accounts that were setup to have fewer user rights could be less impacted than those configured to have administrative user rights. Windows 10's new browser Edge is not affected, yet Windows 10 users still need to patch IE.
Businesses that can't slam on the brakes to deploy the IE patch immediately can use EMET (Enhanced Mitigation Experience Toolkit) to "help make it more difficult for attackers to exploit memory corruption vulnerabilities." Microsoft noted, "EMET can help mitigate attacks that attempt to exploit these vulnerabilities in Internet Explorer on systems where EMET is installed and configured to work with Internet Explorer."
"Patch as quickly as possible," advised Qualys CTO Wolfgang Kandek. "Now that the vulnerability is disclosed we expect the attack code to spread widely and get integrated into exploit kits and attack frameworks."
On the acknowledgments page, Microsoft thanked Clement Lecigne of Google for reporting the memory corruption flaw. Unlike some past Microsoft vulnerability disclosures, this one was not publicly revealed. The fact that it is being actively exploited might be "a case where both researchers and underground found it around the same time," Kandek suggested.