MS15-093 – OOB fix for Internet Explorer
Last updated on: September 6, 2020
Today Microsoft addressed a 0-day vulnerability in Internet Explorer in an out-of-band update described MS15-093. The vulnerability CVE-2015-2502 is actively being exploited in the wild. The attack code is hosted on a malicious webpage that you or your users would have to visit in order to get infected. Attackers use a number of mechanisms to increase their target reach and lure users to the webpage including:
- hosting the exploit on ad networks, which are then used by entirely legitimate websites
- gaining control over legitimate websites, say blogs, by exploiting vulnerabilities in the blogging server software or simply weak credentials
- setting up specific websites for the attack and manipulating search engine results
- send you a link to the site by e-mail or other messaging programs
Now that the vulnerability is disclosed we expect the attack code to spread widely and get integrated into exploit kits and attack frameworks. Patch as quickly as possible.
All version of Internet Explorer v7-v11 are affected. Users of the new Edge Browser on Windows 10 are not affected.
BTW, Microsoft credits a Google researcher, Clement Lecigne with the find, which is interesting since we have seen Google more active in the proactive finding of vulnerabilities. Maybe this was a case where both researchers and underground found it around the same time?
Important to note the Microsoft caveat for applying this patch. You need to first install the latest cumulative IE update (released Aug 11) before applying this patch, or degraded performance may occur.
Are there any prerequisites for update 3087985?
Yes. Customers running Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, or Internet Explorer 11 on Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 R2, or Windows RT 8.1 must first install the 3078071 update released on August 11, 2015 before installing the 3087985 update.