Microsoft on Monday released an emergency security update to patch a vulnerability in Internet Explorer (IE), the legacy browser predominantly used by commercial customers.

The flaw, which was reported to Microsoft by Clement Lecigne, a security engineer with Google's Threat Analysis Group (TAG), has already been exploited by attackers, making it a classic "zero-day," a vulnerability actively in use before a patch is in place.

In the security bulletin that accompanied the release of the IE patch, Microsoft labeled the bug a remote code vulnerability, meaning that a hacker could, by exploiting the bug, introduce malicious code into the browser. Remote code vulnerabilities, also called remote code execution, or RCE, flaws, are among the most serious. That seriousness, as well as the fact that criminals are already leveraging the vulnerability, was reflected in Microsoft's decision to go "out of band," or off the usual patching cycle, to plug the hole.

Traditionally, Microsoft delivers its security updates on the second Tuesday of each month, the so-called "Patch Tuesday." The next such date will be Oct. 8, or in two weeks.

"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email," Microsoft wrote in the bulletin.

The bug is in IE's scripting engine, Microsoft said, but did not elaborate.

Microsoft posted security updates for Windows 10, Windows 8.1, Windows 7, Windows Server 2019, Windows Server 2016, Windows Server 2012 and 2012 R2, and Windows 2008 and 2008 R2. All still-supported versions of IE were patched, including IE9, IE10 and the dominant IE11.

Computerworld