Earlier today, Microsoft released an out-of-band patch to address a critical vulnerability that affects all versions Internet Explorer. It should be noted that Windows 10 is also affected due to its default installation of IE 11. The vulnerability (CVE-2015-2502), discovered by Clement Lecigne of Google, is a memory corruption bug allowing a remote attacker to execute arbitrary code in the context of the current user. In order to exploit this vulnerability, an attacker would host a malicious website and, using a bit of social engineering, convince the victim to browse to it. If the victim were running with administrative privileges, the entire system could be compromised. This should serve as yet another reminder to never follow untrusted URLs and enforce least privilege access in your organization whenever possible.
As always, BeyondTrust is working hard to keep you and your network protected and has provided the following audits (available in audits release 2956) to detect this vulnerability:
48215 - Microsoft Security Update for Internet Explorer (3088903) - KB3087985
48216 - Microsoft Security Update for Internet Explorer (3088903) - KB3081444
Learn more about our vulnerability management and privileged account management solutions to help keep your organization safe from cybersecurity attacks.
Scott Lang, Sr. Director, Product Marketing at BeyondTrust
Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.