Microsoft has released its new and improved web browser, Microsoft Edge, on July 29, 2015, but this web browser is currently compatible only with Windows 10. According to the latest data, around 50 million devices are now running this version of Windows. The rest of Windows users are stuck with the good old Internet Explorer and all its vulnerabilities. The latest of these vulnerabilities is known as known by the code name “CVE-2015-2502.” This vulnerability affects the most recent versions of the browser, starting with Internet Explorer 7 and including the most recent, Internet Explorer 11. As researchers at Bromium Labs have found, IE was the most vulnerable browser of 2014, and it is unlikely that this year’s title will go to any other of the popular web browsers. Vulnerability CVE-2015-2502 is proving that to be the case.
According to the Microsoft’s Security Bulletin MS15-093, CVE-2015-2502 is a Memory Corruption Vulnerability, and it poses a critical threat by initiating remote code execution. This type of vulnerability enables remote attackers to compromise certain websites or even ad networks associated with them. If you interact with these websites, you could become a victim of cyber attacks quicker than you can understand it. Although this vulnerability could be exploited by attackers who might affect widely-used websites, it is most likely that you will be tricked into visiting unfamiliar websites. For example, you might find a link leading to a corrupted website in a spam email. Due to this, it is crucial that you do not interact with any kind of suspicious links until you download a patch for the CVE-2015-2502 vulnerability.
If you check the Vulnerability Information provided by the Microsoft Security Bulletin, you will find that CVE-2015-2502 is believed to be exploited already. This suggests that the threat is no longer just theoretical. The attacker code – which is executed when a user visits a compromised site – could allow attackers to gain all of your user rights. Needless to say, if you have administrative rights, your entire operating system could be taken over just because you visit a malicious/corrupted webpage. If this happened, attackers could manipulate data found on your computer and use your credentials to create new accounts. Unfortunately, the fact that security experts all over the world are reporting the CVE-2015-2502 vulnerability does not mean that users are safe. In fact, the more information about this vulnerability emerges, the more attackers are likely to try exploiting it. This is why, users should never postpone installing patches and security updates.
Even if you do not use Internet Explorer as your default web browser, it is imperative that you patch the CVE-2015-2502 vulnerability. The components of this browser can be employed by other Microsoft applications, which means that you could become a victim even if you stay away from the browser itself. On top of that, cyber criminals could adapt their drive-by download attacks to force you into visiting infected sites via IE. Note that Internet Explorer is compatible with Windows 10 as well, which is why you should download the patch even if this is the Windows version you are currently running.
Although the patch for the CVE-2015-2502 vulnerability was added to the latest Windows update, not all users have automatic updates enabled. Others choose to postpone updates. If you are in a situation where you need to install updates manually, you have to work in a particular order. According to the experts at Microsoft, users have to install update 3078071 before update 3087985. As mentioned in the Security Bulletin, “Failure to follow the install order can lead to degraded functionality.” If you have any questions about the vulnerability or the process of patching it, please start a discussion by posting a comment below.