A recently-discovered security flaw is thought to affect every version of Windows. In a monthly release as part of its Patch Tuesday, Microsoft announced that all versions of Windows Vista and later required a significant patch to repair a remote code execution flaw discovered in Internet Explorer.
Microsoft’s newest browser, Edge, is unaffected by the flaw.
The patch is called MS15-106 and it addresses a flaw in how Internet Explorer handles objects in memory. An attacker could exploit this flaw to gain access to an affected machine. After gaining access, that user would have the same authority as a logged-in user, which could potentially allow the attacker to install programs and edit, read, or delete data.
It’s unknown whether attackers knew about this flaw, or if Microsoft was able to patch it before anything serious occurred.
Attacks Occur Through Compromised Websites
In order to exploit this flaw, an attacker would need to compromise a website, an advertisement, or other web-based content.
Then, the user would need to access that content using an Internet Explorer browser.
Once again, there doesn’t have to be anything special about that user or that Internet Explorer browser: the flaw affects everyone using Windows Vista or later that also uses Internet Explorer – which is still used by the vast majority of Windows users.
Windows server OSes were also found to be at risk, although enhanced security features on these servers would have prevented attacks from proceeding very far.
This week’s Patch Tuesday also involved the installation of MS15-108 and MS15-109 that address other critical vulnerabilities in Windows. A further three patches were released for other “important” issues that were not labeled as critical vulnerabilities.
How to Protect Yourself
As usual, the best way to protect yourself is to run Windows Update right now and install the latest version of the operating system.
Microsoft releases these updates for a reason. If you have Windows Update turned off, then it’s still important to check for regular security updates – it could be the difference between keeping a hold on your system or losing control to an external attacker.
Ultimately, this flaw will only affect people who use Internet Explorer and visit shady-looking websites. And if you’re still doing that in 2015, then you’ve probably got more than this latest exploit to worry about.
Microsoft Thanks FireEye and Other Security Firms for their Help
Microsoft gave PC security researchers the acknowledgment they deserved after this latest breach. In its announcement for this patch, Microsoft specifically thanked FireEye, Zero Day Initiative (from HP), Trend Micro, and Verisign, among other security researchers.