Microsoft today released an emergency software update to plug a critical security flaw in all supported versions of its Internet Explorer browser, from IE7 to IE 11 (this flaw does not appear to be present in Microsoft Edge, the new browser from Redmond and intended to replace IE).
According to the advisory that accompanies the patch, this a browse-and-get-owned vulnerability, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site. Windows users should install the patch whether or not they use IE as their main browser, as IE components can be invoked from a variety of applications, such as Microsoft Office. The emergency patch is available via Windows Update or from Microsoft’s Web site.
Microsoft’s advisory does not say whether this flaw is actively being exploited by attackers, but it seems likely. The patch comes just one week after the company released a slew of IE updates and other fixes for security flaws in Windows and Windows components as part of its regular Patch Tuesday monthly patch cycle (the second Tuesday of each month). The advisory credits a Google employee with reporting the vulnerability.