• More on the unexpected manual-install-only Win10 cumulative updates and IE patch

    As Susan Bradley details (see next post), in the past few hours Microsoft released a bunch of new Win10 cumulative updates:

    In addition there’s a single standalone patch, KB 4522007, that applies to IE in Win7, 8.1, Server 2012 and Server 2012 R2. It’s a plain-vanilla IE patch (which means it’s a rollup), arriving at a weird time. It’s NOT a Windows patch.

    Microsoft has released very little info about the security hole, identified as CVE-2019-1367, but apparently it’s been found in the wild, and it can be very nasty.

    If you don’t use Internet Explorer, you can safely ignore all of the hoopla. If you do use IE, rap yourself on the knuckles, click on those links and go diving for the update: You’ll only get it if you manually download and install it.

    At the same time, Microsoft released a notification of another security hole, CVE-2019-1255, that can conceivably be used to block Windows Defender updates. There’s no separate patch. You don’t need to worry about installing the fix, because Defender will patch itself.

    Perhaps this is why we didn’t see any Win10 cumulative updates last week – the “Week C” that usually brings at least a handful of them.