News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • More on the unexpected manual-install-only Win10 cumulative updates and IE patch

    Home Forums AskWoody blog More on the unexpected manual-install-only Win10 cumulative updates and IE patch

    This topic contains 38 replies, has 15 voices, and was last updated by  anonymous 2 weeks, 5 days ago.

    • Author
      Posts
    • #1962616 Reply

      woody
      Da Boss

      As Susan Bradley details (see next post), in the past few hours Microsoft released a bunch of new Win10 cumulative updates: 4522016 for Win10 1903 452
      [See the full post at: More on the unexpected manual-install-only Win10 cumulative updates and IE patch]

      7 users thanked author for this post.
    • #1962623 Reply

      PKCano
      Da Boss

      KB4522007 has been added to AKB2000003 for Win7/8.1 for Group B (and whoever else needs it.)

      1 user thanked author for this post.
      • #1963172 Reply

        anonymous

        I haven’t patched my win7 machine used for streaming since installing May 2019 patches for Group B. Would installing the following in the order presented be suffice? Is there anything I should skip?

        Jun 2019 KB 4503269
        Jun 2019 KB 4508772
        Jul 2019 KB 4507456 SKIP as it’s not security-only
        Aug 2019 KB 4517297
        Sep 2019 KB 4516033 SKIP as it’s not security-only
        KB 4516655 and KB 4474419
        Sep 2019 (IE11) KB 4522007

    • #1962629 Reply

      EP
      AskWoody_MVP

      As I said in Susan’s post, I’m skipping these new Win10 updates since they only deal with recent 0day issues with Internet Explorer and they will not be delivered thru Windows Update nor thru WSUS. These new patches are available in the MS Update Catalog site only [aka. Catalog Only downloads]

      2 users thanked author for this post.
    • #1962649 Reply

      DrBonzo
      AskWoody Plus

      A friendly reminder that if you do install the new IE 11 patch, that at least for Win 7 you should first install the latest SHA-2 (KB4474419) and SSU (KB4516655). That’s according to the MS support page here:

      https://support.microsoft.com/en-us/help/4522007/cumulative-security-update-for-internet-explorer

      This isn’t anything different from the September patches issued on Sept 10, so this is just a reminder.

      3 users thanked author for this post.
    • #1962686 Reply

      b
      AskWoody Plus

      A workaround appears to have been added which disables jscript.dll (but not default jscript9.dll).

      At least, I couldn’t see the workaround listed earlier in CVE-2019-1367 for the IE zero-day.

      (Chatter says the Chinese government has been actively exploiting this flaw against their minorities.)

      Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1909

      2 users thanked author for this post.
    • #1962702 Reply

      anonymous

      Mixed signals here, Win7 Pro x64. This post says no panic for the IE patch if IE isn’t used. The previous article by Susan indicates the vulnerability exists even if you don’t use IE. Grrr…

      Was in no hurry for the monthly ordeal especially as this IE patch requires two latest Servicing Stack Updates first!!!

      Group B but not doing the telemetry ones as the first of those took out my networking and required a full image and data restore from backup to get it back!

      FWIW, twice in five years this has happened, but only due to MS updates… 馃檨

    • #1962711 Reply

      nazzy
      AskWoody Lounger

      “Mixed signals here, Win7 Pro x64. This post says no panic for the IE patch if IE isn鈥檛 used. The previous article by Susan indicates the vulnerability exists even if you don鈥檛 use IE. ”

      I was wondering the exact same thing.聽 So is it safe to ignore this IE patch, or not?

       

       

       

      • #1963111 Reply

        woody
        Da Boss

        Microsoft has been characteristically (and perhaps justifiably) silent on the subject.

        At this point, all we know is that the patch is only available by manual download – and, to me, that means there’s no pressing need to install it now. The only info we have at this point describes an infection vector solely reliant on IE.

        Let’s see if we find out any more today.

        1 user thanked author for this post.
        • #1963176 Reply

          geekdom
          AskWoody Plus

          Microsoft has been characteristically (and perhaps justifiably) silent on the subject.

          I think the problem is more potent than current explanations indicate.

          Group G{ot backup} TestBeta
          Win7Pro 路 x64 路 SP1 路 i3-3220 路 RAM 8GB 路 Firefox: uBlock Origin - NoScript 路 HDD 路 Canon Printer 路 Microsoft Security Essentials 路 Windows: Backup - System Image - Rescue Disk - Firewall
          1 user thanked author for this post.
    • #1962716 Reply

      anonymous

      ? says:

      so, does the Known Issue in this Security Update VBscript “Mitigation” preclude joining the lemmings at the cliff?

      https://support.microsoft.com/en-us/help/4522007/cumulative-security-update-for-internet-explorer

      • #1962725 Reply

        b
        AskWoody Plus

        It’s a quick check after patching to confirm whether VBscript is still disabled by default as recommended (or not).

        I don’t see why that would affect anyone’s decision whether or not to install the IE jscript zero-day fix:

        An update on disabling VBScript in Internet Explorer 11

        Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1909

        1 user thanked author for this post.
    • #1962745 Reply

      Mr. Natural
      AskWoody Plus

      Unfortunately we still have some that use IE. I foresee a group policy change soon. We will likely force everyone over to Chrome. I know some of you shudder the thought but there is an .admx group policy file for Chrome. We have applied it in AD. You can manage just about any aspect of Chrome if you have the time to do so.聽 馃檪

      Red Ruffnsore reporting from the front lines.

    • #1962741 Reply

      anonymous

      ? says:

      right, i installed the August IE rollup KB4511872. i have always set the Internet>Security> to Medium High. so what am i missing?

    • #1962778 Reply

      Geo
      AskWoody Plus

      Win 7×64,聽 MSE , I use IE for windows updates.聽 Normally my MSE updates itself or if I click update.聽 This time聽 it showed up in WU tonight instead of MSE.聽 I down loaded it . Seemed strange.聽 Might not have to do with the above.

    • #1962780 Reply

      Geo
      AskWoody Plus

      The above was a failed update from earlier in the day for some reason.聽 Just ignore .

      1 user thanked author for this post.
    • #1962963 Reply

      abbodi86
      AskWoody_MVP

      It’s not the first time we get oob catalog-only updates, even Win10 CUs 馃檪

      v1903 already got release preview update
      Cumulative Update for Windows 10 Version 1903 – KB4517211 (18362.385)

      v1909 got it too, but it’s the same build anyway 馃榾

      • This reply was modified 2 weeks, 6 days ago by  abbodi86.
      1 user thanked author for this post.
      • #1962966 Reply

        EP
        AskWoody_MVP

        unlike the KB4522016 update, the upcoming KB4517211 update should be available not only thru MS Update Catalog but also through windows update & WSUS as well – that one may be publicly released either by the end of this week or on Mon 9/30

        • This reply was modified 2 weeks, 6 days ago by  EP.
      • #1962971 Reply

        anonymous

        ? says:

        abbodi86, does KB4522007 double check that the settings in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 and 4\140C聽 DWORD values are set to URL_Policy Diasllow 0x03? Zone 3 being Internet, and Zone 4 being Restricted Site Zone…

        • #1963007 Reply

          abbodi86
          AskWoody_MVP

          I don’t really know

          but it would not be different from any other IE cumulative

    • #1963059 Reply

      anonymous
    • #1963136 Reply

      ChrisAVWood
      AskWoody Plus

      It should be available to seekers today as well as WSUS

    • #1963137 Reply

      anonymous

      I see an update for 1511 the original version, what about machines on version 1607? (I know I really need to move onto a newer supported version…) Does it mean there’s nothing to be installed or should I try my luck at installing the one for version 1511?

      • #1963175 Reply

        abbodi86
        AskWoody_MVP

        4522009 is actually for 1507 (Enterprise 2015 LTSB)

        4522010 for Win10 1607 and Server 2016

        • #1963177 Reply

          anonymous

          Thanks! I will install 4522010 tonight!

        • #1963800 Reply

          anonymous

          Downloaded both x64 and x86 versions of 1607, but was not able to install…it tells me that the update is not for my computer. Guess I have to finally move to a supported version of win10

    • #1963188 Reply

      Microfix
      Da Boss

      As per Bleeping Computer article

      Rather than downloading the patch, surely the MSFT workaround to mitigate the vuln seems a quicker way..IMO

      For 32-bit systems, enter the following command at an administrative command prompt:

      takeown /f %windir%\system32\jscript.dll
      cacls %windir%\system32\jscript.dll /E /P everyone:N

      For 64-bit systems, enter the following command at an administrative command prompt:

      takeown /f %windir%\syswow64\jscript.dll
      cacls %windir%\syswow64\jscript.dll /E /P everyone:N
      takeown /f %windir%\system32\jscript.dll
      cacls %windir%\system32\jscript.dll /E /P everyone:N

      just curious..

      ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

      1 user thanked author for this post.
      • #1963208 Reply

        geekdom
        AskWoody Plus

        Rather than downloading the patch, surely the MSFT workaround to mitigate the vuln seems a quicker way..IMO

        Hence, why Microsoft’s haste to issue a patch immediately?

        Group G{ot backup} TestBeta
        Win7Pro 路 x64 路 SP1 路 i3-3220 路 RAM 8GB 路 Firefox: uBlock Origin - NoScript 路 HDD 路 Canon Printer 路 Microsoft Security Essentials 路 Windows: Backup - System Image - Rescue Disk - Firewall
        1 user thanked author for this post.
      • #1965137 Reply

        anonymous

        Microfix said:
        As per Bleeping Computer article

        According to the same Bleeping Computer article:

        CVE-2019-1367 can be exploited by potential attackers by redirecting their targets to a maliciously crafted website which would trigger a remote code execution attack if the victim uses a vulnerable version of Internet Explorer (i.e., 9, 10, and 11)

        So only JScript.dll v9.0 (used by IE 9.0) & newer versions are vulnerable ? And IE 8.0 (with JScript.dll v5.8.x) is not vulnerable ?

        Also, Microsoft .NET Framework uses the .NET implementation of JScript. There are several instances of Microsoft.JScript.dll on my Win 7 PC, which has .NET 2.0 & .NET 4.x.

        Must these Microsoft.JScript.dll be disarmed as well using the takeown & cacls commands ?

    • #1963251 Reply

      jhvance
      AskWoody Lounger

      The Win10 flavors are really large files that take awhile to download, and then a long time to install — seems to be rebuilding the app from its kernel, perhaps.聽 The Win7 version isn’t so large, but still takes awhile to install.

    • #1963311 Reply

      Geo
      AskWoody Plus

      Group A, Win7X64,聽 home premium, AMD.聽 Took the 007 IE patch.聽 No problems.

      • This reply was modified 2 weeks, 6 days ago by  Geo.
      • This reply was modified 2 weeks, 6 days ago by  Geo.
    • #1963359 Reply

      geekdom
      AskWoody Plus

      Windows 7 x64-systems

      Two optional previews just showed in the Windows Update Queue

      — 2019-09 Preview of Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1,4.7.2, 4.8 for Windows 7 and Server 2008 R2 for x64 (KB4516551)
      https://support.microsoft.com/en-us/help/4516551/sep-19-2019-kb4516551

      — 2019-09 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4516048)
      https://support.microsoft.com/en-us/help/4516048/windows-7-update-kb4516048

      Group G{ot backup} TestBeta
      Win7Pro 路 x64 路 SP1 路 i3-3220 路 RAM 8GB 路 Firefox: uBlock Origin - NoScript 路 HDD 路 Canon Printer 路 Microsoft Security Essentials 路 Windows: Backup - System Image - Rescue Disk - Firewall
      • This reply was modified 2 weeks, 6 days ago by  geekdom.
    • #1963682 Reply

      mpw
      AskWoody Lounger

      Windows 7 sp1 64bit

      Windows Update 09/24/2019

      Important

      KB4474419 was offered even though I already had it installed.聽 It installed again and now has today鈥檚 date as its installation date.

      KB4516065 was offered and installed; no apparent problems.

      Two .NET Framework updates are offered.聽 KB4514602 is checked.聽 KB4503548 is not checked.聽 I did not install either one today.

      Optional

      A Monthly Quality Rollup KB4516048 and a .NET Framework KB4516551.聽 Neither one is checked and I did not install.

      There are a lot of KB numbers flying around this place.聽 Many I have never seen in my Windows Update.聽 Seems like Windows 10 and Windows 7 updates are all mixed together here.

      Microsoft recommends that 鈥淪ervicing stack update (SSU)聽(KB 4516655) or a later SSU update鈥 be installed before the IE11 patch.聽 I have not been offered KB4516655 and do not find it in my installed updates.

      Does anyone here know anything about KB4516655?聽 It is supposed to be necessary before installing聽 KB4522007, which I think is the IE11 patch.

      • #1963719 Reply

        PKCano
        Da Boss

        KB4516655 is a Servicing Stack Update, which has to be installed exclusively (by itself). It will not show up in the Important Update queue in Windows Update if there are any other pending (checked or unchecked) updates.
        If you install the updates you want to install, and hide any remaining ones, the SSU will appear. Or you can download it from the MS Catalog and manually install it.

        KB4474419 and KB4516655 are required to install KB4522007

        2 users thanked author for this post.
        • #1964445 Reply

          mpw
          AskWoody Lounger

          Thank you.聽 Worked just as you said.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: More on the unexpected manual-install-only Win10 cumulative updates and IE patch

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.