Microsoft Patch Alert: Botched IE zero-day patch leaves cognoscenti fuming

Credit to Author: Woody Leonhard| Date: Mon, 30 Sep 2019 10:16:00 -0700

So you think Windows 10 patching is getting better? Not if this month’s Keystone Kops reenactment is an indicator.

In a fervent frenzy, well-meaning but ill-informed bloggers, international news outlets, even little TV stations, enjoyed a hearty round of “The Windows sky is falling!” right after the local weather. It wasn’t. It isn’t – no matter what you may have read or heard.

Microsoft has a special way of telling folks how important its patches might be. Every individual security hole, listed by its CVE number, has an “Exploitability Assessment” consisting of:

There is also an indicator of how “likely” it is for a given hole to become a problem with the current software release and/or older versions.

It probably won’t surprise you to know that the definitions of the terms are fluid, inexact, and very hard to nail down.

Security people tend to get excited when they see an “Exploited: Yes” entry for a newly publicized security hole: Obviously, that particular bug needs to be fixed quickly because it’s out there on the loose.

Except that isn’t always the case, and it’s becoming less and less pressing as time goes on. Why? Because most of the “Exploited: Yes” zero-days are directed at a very, very narrow target population. Governments attacking governments. Big, shadowy criminal enterprises spearing high-profile targets. If you’re protecting state secrets or billion-dollar projects, sure, you need to watch out for the zero-days, and right away. If you’re a normal user, normal business, normal organization – not so much.

We saw that ambivalence in action this month. When Patch Tuesday arrived on Sept. 10, Microsoft listed two separate security holes as “Exploited: Yes” – the holes identified as CVE-2019-1214 and CVE-2019-1215. Security folks were tripping over themselves insisting that normal users needed to get both of those patches applied right away.

And then, without announcement or fanfare, sometime late on Sept 11 or early Sept. 12, Microsoft simply switched those two patches from “Exploited: Yes” to “Exploited: No.” Few people noticed. The red flags had been thrown, the whistle blown, and those two patches remained Patching Public Enemy Nos. 1 and 2.

That brings me to this month’s big, scary, exploited, emergency-patched IE security hole CVE-2019-1367. In what may be the worst rollout in modern Windows patching history, Microsoft rolled all over itself.

Sept. 23: Microsoft released the CVE-2019-1367 bulletin, and published Win10 cumulative updates in the Microsoft Catalog for versions 1903, 1809, 1803, 1709, 1703, Server 2019 and Server 2016. It also released an IE rollup for Win7, 8.1, Server 2012 and Server 2012 R2. Those were only available by manual download from the Catalog – they didn’t go out through Windows Update, or through the Update Server. Admins in charge of networks were going crazy because this “Exploited: Yes” patch was out, but not in a form that they could readily push to all of their machines.

Sept. 24: Microsoft released “optional, non-security” cumulative updates for Win10 version 1809, 1803, 1709, 1703, 1607/Server 2016. Nothing for Win10 version 1903. We also got Monthly Rollup Previews for Win7 and 8.1. Microsoft didn’t bother to mention it, but we found that those Previews include the IE zero-day patch as well. This bunch of patches went out through normal channels – Windows Update, Update Server – but they’re “optional” and “Preview,” which means most savvy individuals and companies won’t install them until they’ve been tested.

Sept. 25: Microsoft “clarified” its badly botched patching strategy:

Starting September 24, 2019, mitigation for this vulnerability is included as part of the 9C optional update, via Windows Update (WU) and Microsoft Update Catalog, for all supported versions of Windows 10, with the exception of Windows 10, version 1903 and Windows 10, version 1507 (LTSB).

It makes me wonder who was minding the store last week.

Sept. 26: Microsoft releases the “optional, non-security” patch for Win10 version 1903. It apparently includes the fix for this IE zero-day.

Sept. 30: As of early morning, Microsoft hasn’t provided additional details about the security hole or the patch. If there are exploits in the wild, I don’t know anyone who’s seen them. We also don’t know whether exploiting the security hole requires IE, or whether it can somehow be triggered without using the browser. The situation’s so absurd that Patch Lady Susan Bradley says (paywalled):

At this time, the IE exploits appear to be highly targeted and narrowly applied. But the company hasn’t clearly spelled out the extent of the threat — except indirectly by making the fix relatively difficult to get. So in what might be a first — and with some concern — I’m recommending skipping the still-optional zero-day IE patches, both the standalone updates and in the preview cumulative updates. I believe it’s safer to wait and ensure that the possible side effects are fully investigated.

We have three reported bugs in the latest IE patches.

While September’s most spectacular patching failure incorporates innovative new screw-ups, there are plenty of mundane problems as well:

There is a bit of good news: In spite of initial reports that a working exploit of the BlueKeep vulnerability has hit the fan, there still aren’t any signs of an imminent major infection. We could use a little good news, eh?

Still and all, Win10 patching – Windows patching in general – isn’t getting better. Of this I’m sure.

Join us for free help and commiseration on AskWoody.com

http://www.computerworld.com/category/security/index.rss