Microsoft has released an out-of-band patch for Internet Explorer versions 7 through 11, to close a dangerous remote code execution flaw allowing attackers to commandeer machines.
The attack will be a highly useful tool in hacker arsenals likely allowing them to build powerful phishing, watering hole, and malvertising campaigns.
Redmond's new Edge browser is not impacted.
"The vulnerability (CVE-2015-2502) could allow remote code execution if a user views a specially crafted webpage using Internet Explorer, Microsoft says in an advisory .
"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability."
The flaw is rated critical for all affected versions of the default Windows web browser, and moderate for instances running on Windows server.
There are no workarounds for the hole meaning admins must apply the fix. Microsoft's popular Enhanced Mitigation Experience Toolkit defence tool and the default Enhanced Security Configuration for Windows servers can help to raise the bar to exploitation.
Google security bod Clement Lecign is credited with the vulnerability discovery.
The SANS Institute recommends immediate testing and patching.
Windows Update should be spewing the update as you read this line of text. ®