Microsoft has deployed an “emergency” security update for Windows 10 users following the discovery of a vulnerability in Internet Explorer. In a security advisory, the tech giant classified the flaw as a remote code vulnerability, meaning malicious code could be injected into a browser remotely by a hacker.
“The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user,” the company said. “An attacker who successfully exploited the vulnerability could take control of an affected system.”
The flaw was discovered and reported to Microsoft by security engineer Clement Lecigne, a member of Google's Threat Analysis Group (TAG). The vulnerability had already been exploited by attackers prior to its discovery.
“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email,” Microsoft warned.
Users urged to update immediately
Microsoft said the out-of-band security update it has issued, “addresses the vulnerability by modifying how the scripting engine handles objects in memory.”
The Cybersecurity and Infrastructure Security Agency (CISA) also issued a security advisory encouraging users to apply the necessary updates to prevent an affected system from being taken over by a remote attacker.
Windows users are advised to install the updates right away. Microsoft’s security advisory includes links to the manual update packages.