• Microsoft says the two “Exploited” security holes in the September patches aren’t actually exploited

    I took a lot of flak over this on Twitter.

    In this month’s Patch Tuesday crop were five potentially dangerous security holes — two listed as “Exploited” (meaning Microsoft has seen working exploits using the holes) and three listed as “Publicly disclosed” (meaning someone has posted something about the hole).

    As I said at the time, none of these are a big deal. The publicly disclosed security holes are deemed “Less likely” to be exploited. The exploited security holes were a big mystery — I couldn’t find any substantive information about them. That’s not particularly alarming because Microsoft frequently fixes security holes that are being used in very specific targeted attacks, and won’t see light of day for months or years, if ever.

    Now I know why I couldn’t find anything other than a rehash of Microsoft’s explanation. Without any notification, Microsoft has changed the entries for both CVE-2019-1214 and CVE-2019-1215 so they’re no longer listed as “Exploited.”

    At the same time we have a verified, acknowledged Search bug in the Win10 1903 patch, and there are several additional problems that haven’t yet reached critical mass.

    There’s a reason why I recommend that you hold off on updates.

    It’s not an isolated incident. This kind of thing happens every month.