News

Still using Internet Explorer? Hackers could take over your PC without this patch

Microsoft issues emergency fix for IE as it tries to shift customers onto Edge browser

19 Aug 2015

As Microsoft customers debate over whether to upgrade to Windows 10 and its brand new browser, Edge, the company has been forced to patch for a critical Internet Explorer bug.

The emergency fix was published outside of Redmond's usual Patch Tuesday monthly schedule, and seeks to fix a zero-day vulnerability affecting IE7 through to IE11 that allows hackers to remotely control PCs.

Dubbed CVE-2015-2502, the exploit would enable cyber criminals to perform remote code execution issuing commands for a PC remotely if a user is directed to malicious websites hosting specially crafted webpages.

Lane Thames, software development engineer and security researcher at cybersecurity firm Tripwire, said: "This memory corruption vulnerability exists because IE does not properly manage certain objects in memory."

All a user needs do is visit the malicious webpages, with no further action required to trigger the bug.

Security blogger Graham Cluley explained in a Tripwire blog post: "Once a computer has been successfully compromised, the attacker would have the same user rights as the current user meaning that if you are logged in with admin rights, the hacker could take complete control of your PC."

The vulnerability is rated critical for Windows non-Server operating systems, but only moderate for Windows Server platforms including Server 2008, 2008 R2, Server 2012 and 2012 R2.

While Windows 10 browser Edge is not affected by the bug, it is rated as critical for users of IE11 on the 32-bit and 64-bit versions of Windows 10.