Microsoft has released its widely anticipated, out-of-band patch for Internet Explorer. MS15-093/KB 3088903 covers all supported versions of IE (7, 8, 9, 10, and 11) on all supported platforms, including Windows 10.
Details at the moment are spotty, but based on the KB description, it sounds like a drive-by remote code execution hole that can lurk inside ads on websites.
An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit this vulnerability.
As explained in the KB article, the vulnerability has not been publicly disclosed, but it is being actively exploited. It’s identified as CVE 2015-2502.
The SANS Internet Storm Center has a post up for the patch. Expect any new information to appear there as soon as it’s available.
Reddit also has a thread going: Microsoft Security Bulletin MS15-093 - RCE in IE7-11 with active exploits in the wild.
Sign up for CIO Asia eNewsletters.