Microsoft has issued an emergency update that fixes a critical Internet Explorer vulnerability that attackers are actively exploiting on the Internet.
The memory-corruption flaw allows attackers to remotely execute malicious code when computers use IE to visit a booby-trapped website, Microsoft said Wednesday. Indexed as CVE-2018-8653, the flaw affects all supported versions of Windows. The vulnerability involves the way Microsoft’s scripting engine handles objects in memory in Internet Explorer.
In a separate advisory, Microsoft said the vulnerability is being used in targeted attacks, but the company didn’t elaborate. Microsoft credited Clement Lecigne of Google’s Threat Analysis Group with discovering the vulnerability. No other details were available about the vulnerability or exploits at the time this post was being reported.
Microsoft said that customers who have Windows Update enabled and have applied the latest security updates are automatically protected against exploits. Microsoft said it knows of no workarounds of mitigations. Windows users should ensure their computer installs the update as soon as possible, even if they don’t normally use IE to browse sites.