Microsoft is urging Windows users to install an “emergency” out-of-band security patch to address critical vulnerabilities in its software.
The software giant issued an advisory this week warning security flaws in some versions of Internet Explorer could allow an attacker to remotely take control of an affected system.
"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system," Microsoft said.
An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights.
"In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email," the tech giant said.
Microsoft also issued an advisory about a patch for a security flaw in some versions of its anti-malware software Microsoft Defender, which if exploited could trigger a denial-of-service that prevents legitimate users from using the software.
The Internet Explorer flaw affects versions 9, 10 and 11. Users must install the security update for Internet Explorer manually but the update for Windows Defender will be installed automatically, according to Microsoft.
Clyde Hewitt, executive advisor of cybersecurity firm CynergisTek, said Microsoft's security vulnerability alert provides a "teachable moment" for chief information officers.
"Those that first hear of this vulnerability through news reports rather than a direct feed will have lost precious hours or even days—time that could be used to protect them from a wide-spread attack like the NotPetya. Consider what would happen if a future alert arrives Friday evening but news reports are not widely distributed until the following Monday. Those organizations may be responding to an active attack rather than patching," he said.
Healthcare CIOs and security officials should have concerns with any out-of-band patch, Hewitt said. "In this instance, it means an active exploitation has been found that impacts up to 7% of all browsers including versions of Internet Explorer 9, 10, and 11," he said.
Homeland Security issued an advisory urging affected users to install the patches.
Cybersecurity researchers emphasize the importance of patching software and devices to protect against security threats.
In May, Microsoft took the rare step of releasing a patch for a handful of legacy operating systems it no longer services after finding a critical vulnerability. The company warned users to patch their systems quickly to avoid another WannaCry ransomware attack.
Healthcare is particularly vulnerable to security threats like WannaCry ransomware due to old and unmanaged devices. Microsoft announced back in March that it will no longer support Windows 7 by Jan. 14, which means it will no longer issue security updates.
The security risks for healthcare are potentially huge as the industry is still reliant on legacy operating systems, particularly for medical devices, according to cybersecurity experts. A recent study from cybersecurity firm Forescout found that a staggering 70% of devices in healthcare organizations will be running unsupported Windows operating systems by January.