Microsoft Patch Alert: Mystery patches for IE and Outlook 2013 leave many questions, few answers

Credit to Author: Woody Leonhard| Date: Fri, 21 Dec 2018 08:21:00 -0800

Just when you’re ready to settle in for some egg and nog and whatever may accompany, Windows starts throwing poison frog darts. This month, a fairly boring patching regiment has turned topsy turvey with an unexplained emergency patch for Internet Explorer (you know, the browser nobody uses), combined with an Outlook 2013 patch that doesn’t pass the smell test.

Microsoft set off the shower of firecrackers on Dec. 19 when it released a bevy of patches for Internet Explorer:

Win10 1809KB 4483235 – build 17763.195

Win10 1803KB 4483234 – build 17134.472

Win10 1709KB 4483232 – build 16299.847

IE 11 on Win7 and 8.1 – KB 4483187

As Gregg Keizer explains in his Computerworld analysis:

Microsoft issued a rare emergency security update to plug a critical vulnerability in the still-supported IE9, IE10 and IE11. The flaw was reported to Microsoft by Google security engineer Clement Lecigne. According to Microsoft, attackers are already exploiting the vulnerability, making it a classic “zero-day” bug.

That’s what Microsoft claimed; from the description it sounds like a drive-by hole, where you can get infected by merely looking at a bad website. But in spite of dire warnings from many corners, there’s exactly no information about the vulnerability making the rounds. In a situation like this, one would expect some sort of detailed explanation from Microsoft, Google or Lecigne. As of early Friday morning, we’ve seen nothing.  

Perhaps all the explainers are already beset with visions of sugarplums, but it’s mighty odd for an emergency patch to hit the offal fan with nary a hint of what’s wrong, or why it needs to be fixed with such abandon. This isn’t a garden variety “C” or “D” week non-security patch. It’s a full 10-claxon call to arms at a time when most people are taking an early vacation. Or at least a languid liquid lunch.

To add to the urgency, Microsoft Thursday night issued a similar tiny IE patch for the latest beta test round of the next version of Win10 – KB 4483187 brings the “19H1” beta build up to 18305.1003. So something’s afoot, but we don’t know what.

As most of you know, patching IE isn’t just for people who actually use IE. Microsoft has woven IE into the fabric of Windows – and it’s still there despite a decade-or-so of extraction effort. An IE patch is an important event because a hole in IE can manifest itself in many ways. But in this case, with no clear explanation, we don’t know what ways, or whether you’re only at risk if you actually use IE.

It gets worse.

I’m seeing reports that the Win7 patch, KB 4483187, triggers random crashes. Removing the update restores the machines. But with the holidays about to go into full swing, it’s hard to say if that’s an isolated incident or a lump of cantankerous coal.

Outlook 2013 patch Three Card Monty

Also on Thursday, Microsoft released yet another mysterious patch, KB 4011029, the “December 20, 2018, update for Outlook 2013.” According to the KB article, it fixes a bug where Mail delivery rules stop working. When you try to open the “Manage Rules & Alerts” dialog box in Outlook 2013, you receive the following error message:

The operation failed because of a registry or installation problem. Restart Outlook and try again. If the problem persists, reinstall.

Nice little holiday bug for anyone using rules in Outlook 2013. But, again, there’s more to the story.

Three days ago, Microsoft acknowledged a bug in Outlook that’s identical to the one described in the KB 4011029 article, but it affects three different “perpetual” (which is to say, bought and installed) versions of Outlook – Outlook 2010, 2013 and 2016 — plus bugs in four different subscription (which is to say, rented versions) releases of Office 365:

Version 1810 build 11001.20108
Version 1808 build 10730.20205
Version 1803 build 9126.2315
Version 1708 build 8431.2329

Apparently, the bug was introduced in the November security patches, but hadn’t been acknowledged until three days ago.

I’ve found no explanation for why Outlook 2013 has been patched, but the other six versions have not. It’s possible that there are five more patches waiting in the wings. It’s possible that this one patch is actually intended for other versions of Office. All we know for sure is that somebody’s left us hanging out to dry – no explanation, no release plan.

Sounds like a pretty common state of affairs, eh?

All of this is happening against a backdrop of Microsoft’s newly restored zeal in pushing Win10 version 1809 on all Win10 users. Reports on 1809 have been good, in general – although the new feature set won’t wow anyone but the most diehard Windows (and Notepad) fans – but Microsoft itself hasn’t yet declared version 1809 as fit for businesses.

Those who click “Check for updates” are most likely to get the new version, but it’ll get pushed on non-seekers soon enough.

I’ve seen exactly zero reports of machines being taken over by the Internet Explorer bug, zero detailed descriptions of the problem (or its solution), zero bonafide cause for alarm, but the “Sky is Falling – Patch Right Now!” cry continues to ring throughout the blogosphere. That could mean one of two things:

I’m convinced the latter is far more likely. But your level of paranoia may well differ. Hey, you may actually enjoy putting your PC through the wringer while the world’s taking a well-deserved break.

We’ll keep a watchful eye through the holidays on the AskWoody Lounge.

http://www.computerworld.com/category/security/index.rss