Microsoft has issued an out-of-band patch for the second month running, this time for a critical vulnerability in its IE browser that affects all versions of Windows. In the worst possible scenario the flaw might allow an attacker to gain full user rights on a machine running any version of Windows.

In the security bulletin, MS15-093, rated ‘critical’ Microsoft said that, “The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.”

The remote code execution vulnerability, CVE-2015-2502, works when IE improperly accesses objects in memory, says Microsoft. An attack could happen when a user views a website that has been compromised by an attacker through adding “specially crafted” content. An attacker might also convince users to visit a website that has been specifically created to exploit the vulnerability. Microsoft adds, however, that, “an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker’s website, or by getting them to open an attachment sent through email.”

If this should happen an attacker could view, add, delete data, install programs and create new accounts. Microsoft said that systems in which IE is routinely used at the most at risk. However, the bug does not affect Microsoft’s Windows 10 Edge browser.

Clement Lecigne, from Google Security, has been credited with finding the flaw.

The update is available here.

Photo credit: Javier Aroche via Flickr