Microsoft Issues Emergency Security Patch For Internet Explorer Flaw

ARTICLE TITLE HERE

Microsoft has issued a rare emergency security patch for Internet Explorer to address a vulnerability criminals have used to gain broad access to computer systems.

The Redmond, Wash.-based vendor said the flaw sends users to an infected website that covertly downloads malware, giving hackers access to any system the user can access. The problem was discovered by Google's Threat Analysis Team, and affects older versions of the Internet Explorer browser.

"If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system," Microsoft said in an executive summary of the vulnerability. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

[Related: Here's How 17 Security Vendors Are Handling The Meltdown And Spectre Vulnerabilities]

id
unit-1659132512259
type
Sponsored post

By convincing a user to view a specially crafted web page, email attachment, PDF file, Microsoft Office document, or any other document that supports embedded Internet Explorer scripting engine content, an attacker may be able to execute arbitrary code, according to Carnegie Mellon's Software Engineering Institute. This vulnerability was detected in exploits in the wild, Carnegie Mellon added.

In a web-based attack scenario, Microsoft said the attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer, and then convince a user to view the website by, for example, sending them an email. Microsoft said the security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

Microsoft's stock was up more than 1 percent in after-hours trading on Thursday to $102.80. The vulnerability affects certain versions of Internet Explorer 9, 10, and 11, according to the U.S. Department of Homeland Security.