The company has issued a security bulletin that describes how users who are lured to specially crafted webpages could have attackers take over control of their computers with the same rights as the user who logged into the machine.
“If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system,” the bulletin says. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
The exploit could result in attackers executing code on the machines, elevation of privileges, information disclosure and security bypass.
Exploits take advantage of IE improperly accessing data in memory, and the patch modifies how it accesses such data. There are no workarounds for the problem other than installing the patch.
The alert says that the vulnerability has already been exploited, and Microsoft ranks its severity as critical on client machines. Its severity is ranked as moderate for servers. It affects IE 7-11 running on Windows Vista through Windows 10 clients and on Windows Server 2008 and Server 2012.