Today Microsoft addressed a 0-day vulnerability in Internet Explorer in an out-of-band update described MS15-093. The vulnerability CVE-2015-2502 is actively being exploited in the wild. The attack code is hosted on a malicious webpage that you or your users would have to visit in order to get infected. Attackers use a number of mechanisms to increase their target reach and lure users to the webpage including:
- hosting the exploit on ad networks, which are then used by entirely legitimate websites
- gaining control over legitimate websites, say blogs, by exploiting vulnerabilities in the blogging server software or simply weak credentials
- setting up specific websites for the attack and manipulating search engine results
- send you a link to the site by e-mail or other messaging programs
Now that the vulnerability is disclosed we expect the attack code to spread widely and get integrated into exploit kits and attack frameworks. Patch as quickly as possible.
All version of Internet Explorer v7-v11 are affected. Users of the new Edge Browser on Windows 10 are not affected.
BTW, Microsoft credits a Google researcher, Clement Lecigne with the find, which is interesting since we have seen Google more active in the proactive finding of vulnerabilities. Maybe this was a case where both researchers and underground found it around the same time?