Published: 19/08/2015 Updated: 12/10/2018
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
VMScore: 828
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Microsoft Internet Explorer 7 through 11 allows remote malicious users to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Memory Corruption Vulnerability," as exploited in the wild in August 2015.

Vulnerability Trend

Recent Articles

Unholy Hong Kong hackers hit evangelicals with IE 0day
The Register • Darren Pauli • 21 Aug 2015

Fast moving blackhats backdoor church-goers.

Hackers are already using an Internet Explorer vulnerability disclosed this week to hack members of an evangelical church.
The attackers compromised the website of the Evangelical Lutheran Church of Hong Kong, injecting a malicious iFrame that redirects the faithful to a malicious website sporting the Internet Explorer vulnerability (CVE-2015-2502).
More javascript redirections lead to the PlugX (pdf) malware landing on machines. Once running, the malware opens a back door and begins...

Microsoft drops rush Internet Explorer fix for remote code exec hole
The Register • Darren Pauli • 19 Aug 2015

IE 7 through 11 needs a big band-aid, fast, especially workstations, terminal servers

Microsoft has released an out-of-band patch for Internet Explorer versions 7 through 11, to close a dangerous remote code execution flaw allowing attackers to commandeer machines.
The attack will be a highly useful tool in hacker arsenals likely allowing them to build powerful phishing, watering hole, and malvertising campaigns.
Redmond's new Edge browser is not impacted.
"The vulnerability (CVE-2015-2502) could allow remote code execution if a user views a specially crafted we...

Emergency IE Patch Fixes Vulnerability Under Attack
Threatpost • Michael Mimoso • 18 Aug 2015

Microsoft today released an emergency patch for all supported versions of Internet Explorer, including IE 11 running on the recently released Windows 10.
Microsoft said in its advisory that the zero-day is being publicly exploited. Google security engineer Clement Lecigne is credited with reporting the issue. A request for comment to Lecigne was not returned in time for publication.
The vulnerability, CVE-2015-2502, enables remote code execution, Microsoft said in bulletin MS15-093.<...