What do we know about the big, scary, exploited, emergency patched Internet Explorer security hole CVE-2019-1367?

Topic

New Reply

Nothing. Well, almost nothing. Do you think that Microsoft’s cleaned up its Windows patching mess? Details coming in Computerworld.
[See the full post at: What do we know about the big, scary, exploited, emergency patched Internet Explorer security hole CVE-2019-1367?]

4 users thanked author for this post.

Fred, Nibbled To Death By Ducks, geekdom, abbodi86

Reply | Quote

Replies

I just installed windows server 2019 essentials and std. for my domain and web server respectively. They both have IE out of the box. The browser is used for accessing help files (FYI, ‘Click here for more information’). I’m considering installing Firefox on these machines as the default browser (as it is on my workstations). It would seem safer than relying on IE. Any thoughts?

Reply | Quote

Why use a web browser on a server?

Red Ruffnsore

Reply | Quote

Just explained that in my post. Most, but not all, Microsoft Help files are now in the cloud, not on the local computer.

Reply | Quote

help files on a server are very unhelpful.  Googling on a separate machine is way better.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

woody wrote:

Do you think that Microsoft’s cleaned up its Windows patching mess?

– Patches appear on random dates.
– Patches are issued again and again.
– Patches appear in the Windows Update Catalog, but not in the Windows Update Queue.
– Patch documentation is incomplete.
– Patches require “i” before “e” installation in order to install correctly.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

woody

Reply | Quote

– Patches are issued again and again.

They may be issued with the same KB number but with changed metadata and/or contents. So they are not the same patch, just the same name.

– Patches appear in the Windows Update Catalog, but not in the Windows Update Queue.

This is intentional. Some patches are not meant for general distribution, and therefore are not offered to a general User base through Windows Update.

– Patches require “i” before “e” installation in order to install correctly.

If you don’t understand Windows updating, you should not be using manual patcheing. It is not a method recommended for the general User.

2 users thanked author for this post.

jabeattyauditor, Microfix

Reply | Quote

To continue with patching difficulties:

– Average person is unaware that patches have been issued with the same number.
– Servicing Stack Updates must be treated differently.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

woody

Reply | Quote

– Average person is unaware that patches have been issued with the same number.

The average person has no need to know that if they use Windows Update and don’t try to manage Windows updating themselves.

– Servicing Stack Updates must be treated differently.

Again, the average person has no need to know that if they use Windows Update and don’t try to manage Windows updating themselves.

Reply | Quote

geekdom wrote:

– Average person is unaware that patches have been issued with the same number.

Just wait till you see the dual-patch-one-KB approach in Win10 1903 and 1909.

We ain’t seen nuthin’ yet.

Reply | Quote

Windows 10, 1809. The local news this morning reported on the IE patch and went on to say that you needed to install it manually, as it was not available through Windows Update. If this is the case, and we need this patch, can someone provide a link to the catalog for it. Seem kinda strange if this is that important that it would not come down through WU.

Group A

Reply | Quote

It’s NOT an emergency patch, although lots and lots and lots of commentators are saying it is.

The patch is — patches are — a Keystone Kops routine that’s somehow made it into the mainstream media. Just ask yourself if the reporter responsible has any idea what a “scripting engine memory corruption vulnerability” is, or if they can point to just one example of the vulnerability appearing in the wild.

Read my latest Computerworld article for details.

Note that we’re still at MS-DEFCON 2.

2 users thanked author for this post.

Nibbled To Death By Ducks, bobcat5536

Reply | Quote

Yeah I’m seeing a lot of headlines this week and last warning of impeding doom, update immediately.

I have a bad habit of glossing over readings but something seems odd regarding all the hoopla.

So there have been several emergency patches regarding IE security/VB script issues within the past week. Numerous tech sites are saying you need to run windows update immediately. However up until tomorrow apparently the patches were not offered on Windows Update but only via Microsoft Download Catalog. So there’s probably a lot of people that rushed to Windows Update, applied any available updates and now believe they are protected when the patches have not yet been offered through WU.

I was wondering earlier this week as others have already mentioned, if these patches were so critical why were they not originally offered through WU?

Red Ruffnsore

2 users thanked author for this post.

Nibbled To Death By Ducks, woody

Reply | Quote

No, I do not think that MS has cleaned up its patching chaos and the hysteria helped no-one.
The result of this is that subsequent true claims will be disbelieved.

2 users thanked author for this post.

Nibbled To Death By Ducks, woody

Reply | Quote

woody wrote:

Do you think that Microsoft’s cleaned up its Windows patching mess?

Even with their new AI processors?

No, no, I don’t think they have…

(Sorry, couldn’t resist.)

Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty

1 user thanked author for this post.

SueW

Reply | Quote

The most concerning thing for me is microsoft’s team of security experts (the ones being paid to keep us all cyber safe) are not even the ones who discovered this Zero-day memory corruption vulnerability in Internet Explorer but is in fact Clément Lecigne of (GOOGLE’s) Threat Analysis Group and this is not the first time that someone on the outside looking in has spotted danger in a microsoft OS!! It just about has me ready to spring for that new chromebook or macbook.i’m not suggesting these choices are flawless but microsoft has truly fumbled the ball,i mean they are bricking peoples brand new out of the box windows 10 computers or at the very least killing the joy of that new car smell.

mrj2k

Reply | Quote

We all wish we could catch our own mistakes. It is fairly normal for someone else to find our flaws for us. We only hope they are kind when they pull us aside to point out the spinach in our teeth. It is why writers pay for proofreading services, and major software developers have bounty programs. (some even use in house Quality Control)

I agree that Microsoft has stumbled more than usual. But it is not made worse that an outsider found it first. It was bad before the announcement. And it is bad after the announcement. The only difference is we heard the announcement. And that helps move us toward better.

Reply | Quote