Microsoft releases even more patches for the CVE-2019-1367 IE zero-day, and the bugs are having a field day




You may recall the Keystone Kops reenactment that goes by the code name CVE-2019-1367. In short:

Sept. 23: Microsoft released the CVE-2019-1367 bulletin, and published Win10 cumulative updates in the Microsoft Catalog for versions 1903, 1809, 1803, 1709, 1703, Server 2019 and Server 2016. It also released an IE rollup for Win7, 8.1, Server 2012 and Server 2012 R2. Those were only available by manual download from the Catalog — they didn’t go out through Windows Update, or through the Update Server. 

Sept. 24: Microsoft released “optional, non-security” cumulative updates for Win10 version 1809, 1803, 1709, 1703, 1607/Server 2016. Nothing for Win10 version 1903. We also got Monthly Rollup Previews for Win7 and 8.1. Microsoft didn’t bother to mention it, but we found that those Previews include the IE zero-day patch as well. This bunch of patches went out through normal channels — Windows Update, Update Server — but they’re “optional” and “Preview,” which means most savvy individuals and companies won’t install them until they’ve been tested.

Sept. 25: Microsoft “clarified” its badly botched patching strategy:

Starting September 24, 2019, mitigation for this vulnerability is included as part of the 9C optional update [Microsoft-speak for the third cumulative update in September—WL], via Windows Update (WU) and Microsoft Update Catalog, for all supported versions of Windows 10, with the exception of Windows 10, version 1903 and Windows 10, version 1507 (LTSB).

Sept. 26: Microsoft releases the “optional, non-security” patch for Win10 version 1903. It apparently includes the fix for this IE zero-day.

Oct. 3: Out of the blue, Microsoft releases a full set of honest-to-goodness Cumulative Updates and Monthly Rollups for all versions of Windows:

Copyright © 2019 IDG Communications, Inc.






Security

Leave a Reply

Your email address will not be published.