News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • More on the unexpected manual-install-only Win10 cumulative updates and IE patch

    Home Forums AskWoody blog More on the unexpected manual-install-only Win10 cumulative updates and IE patch

    Viewing 20 reply threads
    • Author
      Posts
      • #1962616 Reply
        woody
        Da Boss

        As Susan Bradley details (see next post), in the past few hours Microsoft released a bunch of new Win10 cumulative updates: 4522016 for Win10 1903 452
        [See the full post at: More on the unexpected manual-install-only Win10 cumulative updates and IE patch]

        7 users thanked author for this post.
      • #1962623 Reply
        PKCano
        Da Boss

        KB4522007 has been added to AKB2000003 for Win7/8.1 for Group B (and whoever else needs it.)

        1 user thanked author for this post.
        • #1963172 Reply
          anonymous
          Guest

          I haven’t patched my win7 machine used for streaming since installing May 2019 patches for Group B. Would installing the following in the order presented be suffice? Is there anything I should skip?

          Jun 2019 KB 4503269
          Jun 2019 KB 4508772
          Jul 2019 KB 4507456 SKIP as it’s not security-only
          Aug 2019 KB 4517297
          Sep 2019 KB 4516033 SKIP as it’s not security-only
          KB 4516655 and KB 4474419
          Sep 2019 (IE11) KB 4522007

      • #1962629 Reply
        EP
        AskWoody_MVP

        As I said in Susan’s post, I’m skipping these new Win10 updates since they only deal with recent 0day issues with Internet Explorer and they will not be delivered thru Windows Update nor thru WSUS. These new patches are available in the MS Update Catalog site only [aka. Catalog Only downloads]

        2 users thanked author for this post.
      • #1962649 Reply
        DrBonzo
        AskWoody Plus

        A friendly reminder that if you do install the new IE 11 patch, that at least for Win 7 you should first install the latest SHA-2 (KB4474419) and SSU (KB4516655). That’s according to the MS support page here:

        https://support.microsoft.com/en-us/help/4522007/cumulative-security-update-for-internet-explorer

        This isn’t anything different from the September patches issued on Sept 10, so this is just a reminder.

        3 users thanked author for this post.
      • #1962686 Reply
        b
        AskWoody Plus

        A workaround appears to have been added which disables jscript.dll (but not default jscript9.dll).

        At least, I couldn’t see the workaround listed earlier in CVE-2019-1367 for the IE zero-day.

        (Chatter says the Chinese government has been actively exploiting this flaw against their minorities.)

        2 users thanked author for this post.
      • #1962702 Reply
        anonymous
        Guest

        Mixed signals here, Win7 Pro x64. This post says no panic for the IE patch if IE isn’t used. The previous article by Susan indicates the vulnerability exists even if you don’t use IE. Grrr…

        Was in no hurry for the monthly ordeal especially as this IE patch requires two latest Servicing Stack Updates first!!!

        Group B but not doing the telemetry ones as the first of those took out my networking and required a full image and data restore from backup to get it back!

        FWIW, twice in five years this has happened, but only due to MS updates… 🙁

      • #1962711 Reply
        nazzy
        AskWoody Lounger

        “Mixed signals here, Win7 Pro x64. This post says no panic for the IE patch if IE isn’t used. The previous article by Susan indicates the vulnerability exists even if you don’t use IE. ”

        I was wondering the exact same thing.  So is it safe to ignore this IE patch, or not?

         

         

         

        • #1963111 Reply
          woody
          Da Boss

          Microsoft has been characteristically (and perhaps justifiably) silent on the subject.

          At this point, all we know is that the patch is only available by manual download – and, to me, that means there’s no pressing need to install it now. The only info we have at this point describes an infection vector solely reliant on IE.

          Let’s see if we find out any more today.

          1 user thanked author for this post.
          • #1963176 Reply
            geekdom
            AskWoody Plus

            Microsoft has been characteristically (and perhaps justifiably) silent on the subject.

            I think the problem is more potent than current explanations indicate.

            G{ot backup} TestBeta
            offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 Windows{Image/Defender/Firewall}
            online▸ Win10Pro 1909.18363.1016 x64 i5-9400 RAM16GB HDD Firefox80.0b7 Windows{Image/Defender/Firewall}
            1 user thanked author for this post.
      • #1962716 Reply
        anonymous
        Guest

        ? says:

        so, does the Known Issue in this Security Update VBscript “Mitigation” preclude joining the lemmings at the cliff?

        https://support.microsoft.com/en-us/help/4522007/cumulative-security-update-for-internet-explorer

        • #1962725 Reply
          b
          AskWoody Plus

          It’s a quick check after patching to confirm whether VBscript is still disabled by default as recommended (or not).

          I don’t see why that would affect anyone’s decision whether or not to install the IE jscript zero-day fix:

          An update on disabling VBScript in Internet Explorer 11

          1 user thanked author for this post.
      • #1962745 Reply
        Mr. Natural
        AskWoody Plus

        Unfortunately we still have some that use IE. I foresee a group policy change soon. We will likely force everyone over to Chrome. I know some of you shudder the thought but there is an .admx group policy file for Chrome. We have applied it in AD. You can manage just about any aspect of Chrome if you have the time to do so.  🙂

        Red Ruffnsore reporting from the front lines.

      • #1962741 Reply
        anonymous
        Guest

        ? says:

        right, i installed the August IE rollup KB4511872. i have always set the Internet>Security> to Medium High. so what am i missing?

      • #1962778 Reply
        Geo
        AskWoody Lounger

        Win 7×64,  MSE , I use IE for windows updates.  Normally my MSE updates itself or if I click update.  This time  it showed up in WU tonight instead of MSE.  I down loaded it . Seemed strange.  Might not have to do with the above.

      • #1962780 Reply
        Geo
        AskWoody Lounger

        The above was a failed update from earlier in the day for some reason.  Just ignore .

        1 user thanked author for this post.
      • #1962963 Reply
        abbodi86
        AskWoody_MVP

        It’s not the first time we get oob catalog-only updates, even Win10 CUs 🙂

        v1903 already got release preview update
        Cumulative Update for Windows 10 Version 1903 – KB4517211 (18362.385)

        v1909 got it too, but it’s the same build anyway 😀

        • This reply was modified 10 months, 3 weeks ago by abbodi86.
        1 user thanked author for this post.
        • #1962966 Reply
          EP
          AskWoody_MVP

          unlike the KB4522016 update, the upcoming KB4517211 update should be available not only thru MS Update Catalog but also through windows update & WSUS as well – that one may be publicly released either by the end of this week or on Mon 9/30

          • This reply was modified 10 months, 3 weeks ago by EP.
        • #1962971 Reply
          anonymous
          Guest

          ? says:

          abbodi86, does KB4522007 double check that the settings in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 and 4\140C  DWORD values are set to URL_Policy Diasllow 0x03? Zone 3 being Internet, and Zone 4 being Restricted Site Zone…

          • #1963007 Reply
            abbodi86
            AskWoody_MVP

            I don’t really know

            but it would not be different from any other IE cumulative

      • #1963059 Reply
        anonymous
        Guest
      • #1963136 Reply
        ChrisAVWood
        AskWoody Plus

        It should be available to seekers today as well as WSUS

      • #1963137 Reply
        anonymous
        Guest

        I see an update for 1511 the original version, what about machines on version 1607? (I know I really need to move onto a newer supported version…) Does it mean there’s nothing to be installed or should I try my luck at installing the one for version 1511?

        • #1963175 Reply
          abbodi86
          AskWoody_MVP

          4522009 is actually for 1507 (Enterprise 2015 LTSB)

          4522010 for Win10 1607 and Server 2016

          • #1963177 Reply
            anonymous
            Guest

            Thanks! I will install 4522010 tonight!

          • #1963800 Reply
            anonymous
            Guest

            Downloaded both x64 and x86 versions of 1607, but was not able to install…it tells me that the update is not for my computer. Guess I have to finally move to a supported version of win10

      • #1963188 Reply
        Microfix
        AskWoody MVP

        As per Bleeping Computer article

        Rather than downloading the patch, surely the MSFT workaround to mitigate the vuln seems a quicker way..IMO

        For 32-bit systems, enter the following command at an administrative command prompt:

        takeown /f %windir%\system32\jscript.dll
        cacls %windir%\system32\jscript.dll /E /P everyone:N

        For 64-bit systems, enter the following command at an administrative command prompt:

        takeown /f %windir%\syswow64\jscript.dll
        cacls %windir%\syswow64\jscript.dll /E /P everyone:N
        takeown /f %windir%\system32\jscript.dll
        cacls %windir%\system32\jscript.dll /E /P everyone:N

        just curious..

        No problem can be solved from the same level of consciousness that created IT -AE
        1 user thanked author for this post.
        • #1963208 Reply
          geekdom
          AskWoody Plus

          Rather than downloading the patch, surely the MSFT workaround to mitigate the vuln seems a quicker way..IMO

          Hence, why Microsoft’s haste to issue a patch immediately?

          G{ot backup} TestBeta
          offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 Windows{Image/Defender/Firewall}
          online▸ Win10Pro 1909.18363.1016 x64 i5-9400 RAM16GB HDD Firefox80.0b7 Windows{Image/Defender/Firewall}
          1 user thanked author for this post.
        • #1965137 Reply
          anonymous
          Guest

          Microfix said:
          As per Bleeping Computer article

          According to the same Bleeping Computer article:

          CVE-2019-1367 can be exploited by potential attackers by redirecting their targets to a maliciously crafted website which would trigger a remote code execution attack if the victim uses a vulnerable version of Internet Explorer (i.e., 9, 10, and 11)

          So only JScript.dll v9.0 (used by IE 9.0) & newer versions are vulnerable ? And IE 8.0 (with JScript.dll v5.8.x) is not vulnerable ?

          Also, Microsoft .NET Framework uses the .NET implementation of JScript. There are several instances of Microsoft.JScript.dll on my Win 7 PC, which has .NET 2.0 & .NET 4.x.

          Must these Microsoft.JScript.dll be disarmed as well using the takeown & cacls commands ?

      • #1963251 Reply
        jhvance
        AskWoody Lounger

        The Win10 flavors are really large files that take awhile to download, and then a long time to install — seems to be rebuilding the app from its kernel, perhaps.  The Win7 version isn’t so large, but still takes awhile to install.

      • #1963311 Reply
        Geo
        AskWoody Lounger

        Group A, Win7X64,  home premium, AMD.  Took the 007 IE patch.  No problems.

        • This reply was modified 10 months, 3 weeks ago by Geo.
        • This reply was modified 10 months, 3 weeks ago by Geo.
      • #1963359 Reply
        geekdom
        AskWoody Plus

        Windows 7 x64-systems

        Two optional previews just showed in the Windows Update Queue

        — 2019-09 Preview of Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1,4.7.2, 4.8 for Windows 7 and Server 2008 R2 for x64 (KB4516551)
        https://support.microsoft.com/en-us/help/4516551/sep-19-2019-kb4516551

        — 2019-09 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4516048)
        https://support.microsoft.com/en-us/help/4516048/windows-7-update-kb4516048

        G{ot backup} TestBeta
        offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 Windows{Image/Defender/Firewall}
        online▸ Win10Pro 1909.18363.1016 x64 i5-9400 RAM16GB HDD Firefox80.0b7 Windows{Image/Defender/Firewall}
        • This reply was modified 10 months, 3 weeks ago by geekdom.
      • #1963682 Reply
        mpw
        AskWoody Plus

        Windows 7 sp1 64bit

        Windows Update 09/24/2019

        Important

        KB4474419 was offered even though I already had it installed.  It installed again and now has today’s date as its installation date.

        KB4516065 was offered and installed; no apparent problems.

        Two .NET Framework updates are offered.  KB4514602 is checked.  KB4503548 is not checked.  I did not install either one today.

        Optional

        A Monthly Quality Rollup KB4516048 and a .NET Framework KB4516551.  Neither one is checked and I did not install.

        There are a lot of KB numbers flying around this place.  Many I have never seen in my Windows Update.  Seems like Windows 10 and Windows 7 updates are all mixed together here.

        Microsoft recommends that “Servicing stack update (SSU) (KB 4516655) or a later SSU update” be installed before the IE11 patch.  I have not been offered KB4516655 and do not find it in my installed updates.

        Does anyone here know anything about KB4516655?  It is supposed to be necessary before installing  KB4522007, which I think is the IE11 patch.

        HP Pavilion Desktop TP01-0050 – 64 bit
        Windows10 Home v1909 – Build 18363.959
        Windows Defender and Windows Firewall
        Microsoft Office Home and Business 2019
        -Version 2007(Build 13029.20308 C2R)

        • #1963719 Reply
          PKCano
          Da Boss

          KB4516655 is a Servicing Stack Update, which has to be installed exclusively (by itself). It will not show up in the Important Update queue in Windows Update if there are any other pending (checked or unchecked) updates.
          If you install the updates you want to install, and hide any remaining ones, the SSU will appear. Or you can download it from the MS Catalog and manually install it.

          KB4474419 and KB4516655 are required to install KB4522007

          2 users thanked author for this post.
          • #1964445 Reply
            mpw
            AskWoody Plus

            Thank you.  Worked just as you said.

            HP Pavilion Desktop TP01-0050 – 64 bit
            Windows10 Home v1909 – Build 18363.959
            Windows Defender and Windows Firewall
            Microsoft Office Home and Business 2019
            -Version 2007(Build 13029.20308 C2R)

    Viewing 20 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: More on the unexpected manual-install-only Win10 cumulative updates and IE patch

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.