All supported versions of IE at riskOn Tuesday afternoon (August 18th), Microsoft took the unusual step of releasing a patch outside of their normal cycle of Windows updates on the second and fourth Tuesday of each calendar month. This can be taken as an indicator of the severity of the problem which has been discovered.
In the associated bulletin accompanying the patch release (MS15-093) Microsoft document the presence of a flaw (assigned the cross-industry reference of CVE-2015-2502) which has the potential to allow an attacker to gain access to a the browser user?s local machine with all privileges of that user, through a flaw in all currently supported versions of Internet Explorer (versions 7 up to 11) on all platforms, including Windows 10. What is not specified is whether earlier versions of the browser, which reached end of support life some time ago but are still routinely in use in some instances, are also affected. It would be prudent to assume that they probably are (besides which they are known to harbour other unpatched vulnerabilities), and all possible efforts should be made to remove obstacles to replacing them with a newer browser.
All users of (supported release of) Internet Explorer are advised to apply this update, urgently.
Footnote: Microsoft's new browser product "Edge", which accompanies the recently released Windows 10, is explicitly reported as not being at risk.
Update:Symantec's summary reveals that the following server software is also at risk from this vulnerability:
- Avaya CallPilot (v4.0, v4.0.1, v5.0, v5.0.1, v5.1.0)
- Avaya Meeting Exchange ? Client Registration Server, Recording Server, Streaming Server, Web Conferencing Server, and Webportal (v5.0, v5.0.1, v5.2, v5.2.1, v6.0, v6.2)
- Avaya Messaging Application Server (v5.0, v5.0.1, v5.2, v5.2.1, v6.0, v6.2)