I’ve seen a lot of confusion about the security hole known as CVE-2019-1367 and what normal Windows customers should do about it. Part of the reason for the confusion is the way the fix was distributed – the patching files were released on Monday, Sept. 23, but only via manual download from the Microsoft Update Catalog.
On a Monday.
In the past few hours, Microsoft released a hodge-podge of patches that seem to tackle the problem. They’re “optional non-security” and “Monthly Rollup preview” patches, so you won’t get them unless you specifically go looking for them.
As a bit o’ lagniappe, if you use Windows Update to install the sky-is-falling IE patch, you’ll get a bunch of additional marginally-tested patches along for the ride.
Here are the most important Win10 patches that appear to contain the IE/CVE-2019-1367 fix:
- Win10 1809 and Server 2019 – KB 4516077 – build 17763.774.
- Win10 1803 – KB 4516045 – build 17134.1039.
- Server 2016 – KB 4516061 – build 14393.3242.
I say “appear to contain” the fix because, as best I can tell, none of the documentation mentions CVE-2019-1367, the security hole that was fixed yesterday in an odd single-purpose cumulative update. These, too, are cumulative updates, but they’re specifically identified as “non-security updates.”
Which is disingenuous, at best.
Those patches are only available if you click “Check for updates.” Microsoft would traditionally call them “optional, non-security” patches, but with the likely (if undocumented) presence of a separately identified out-of-band security patch, it’s hard to say what to call them.
We don’t have a cumulative update for Win10 1903 just yet. We do, however, have a manually downloadable out-of-band patch for the IE problem in 1903, KB 4522016.
Over on the Windows 7/8.1 side of the fence, it appears as if the CVE-2019-1367 fix is part and parcel of the two Monthly Rollup Previews just released:
- Win7 – KB 4516048 – “Addresses an issue that may cause an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in the Event Log related to cryptnet.dll.”
- Win8.1 – KB 4516041 – Fixes the bug that prevented IE 11 from running on RT devices.
There’s no indication in the KB articles that either of these Previews fix the IE hole, but an independent check by AskWoody’s @EP shows that the Previews contain the latest IE file. That likely means the security hole has been plugged in the Previews.
At this point, I don’t see why the Windows blogosphere has tied itself in knots warning about the IE/CVE-2019-1367 security hole. Yes, Microsoft has said that it’s been exploited in the wild. No, we don’t have any more information. The folks who know aren’t talking. The most credible story I’ve seen involves a very targeted attack from the (reputedly) Korean group known as DarkHotel.
At any rate, for almost everybody, this appears to be yet another tempest in a teapot. My advice is to sit tight, don’t update anything, and stop using Internet Explorer.
Unless you’ve done something to make DarkHotel angry, of course.