Microsoft on Monday released an emergency security update to patch a vulnerability in Internet Explorer (IE), the legacy browser predominantly used by commercial customers.
The flaw, which was reported to Microsoft by Clement Lecigne, a security engineer with Google’s Threat Analysis Group (TAG), has already been exploited by attackers, making it a classic “zero-day,” a vulnerability actively in use before a patch is in place.
In the security bulletin that accompanied the release of the IE patch, Microsoft labeled the bug a remote code vulnerability, meaning that a hacker could, by exploiting the bug, introduce malicious code into the browser. Remote code vulnerabilities, also called remote code execution, or RCE, flaws, are among the most serious. That seriousness, as well as the fact that criminals are already leveraging the vulnerability, was reflected in Microsoft’s decision to go “out of band,” or off the usual patching cycle, to plug the hole.
Traditionally, Microsoft delivers its security updates on the second Tuesday of each month, the so-called “Patch Tuesday.” The next such date will be Oct. 8, or in two weeks.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” Microsoft wrote in the bulletin.
The bug is in IE’s scripting engine, Microsoft said, but did not elaborate.
Microsoft posted security updates for Windows 10, Windows 8.1, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server 2012 and 2012 R2, and Windows 2008 and 2008 R2. All still-supported versions of IE were patched, including IE9, IE10 and the dominant IE11.
IE was demoted to second-citizen status with the introduction of Windows 10, but Microsoft has been adamant that it will continue to support the browser. IE, particularly IE11, remains necessary in many enterprises and organizations for running aged web apps and internal websites. The browser may retreat to a “mode” within a vastly reworked Microsoft Edge – and the stand-alone abandoned – but IE will live on in some form.
Still, it’s no longer the most popular kid on the block: According to the latest data from web analytics vendor Net Applications, IE accounted for just 9% of all Windows-based browsing activity. For comparison, Edge’s share of all Windows was around 7%.
According to information in the description of the update package, the emergency IE fix is available only through the Microsoft Update Catalog. Users would have to steer a browser to that website, then download and install the update. The easiest way to locate the IE update is by using the link in the OS-appropriate KB (for knowledge base) gleaned from the security bulletin. (No one said Microsoft makes it easy.)
Automated servicing feeds, including Windows Update and Windows Server Update Services (WSUS), are to begin offering the out-of-band update today.
This isn’t the first time that Microsoft has had to patch Internet Explorer on the fly for a scripting vulnerability being exploited by hackers. In December 2018, the Redmond, Wash. developer shipped an emergency security update to deal with how IE’s “scripting engine handles objects in memory,” the exact language used in Monday’s bulletin.