More on the unexpected manual-install-only Win10 cumulative updates and IE patch

Topic

New Reply

As Susan Bradley details (see next post), in the past few hours Microsoft released a bunch of new Win10 cumulative updates: 4522016 for Win10 1903 452
[See the full post at: More on the unexpected manual-install-only Win10 cumulative updates and IE patch]

7 users thanked author for this post.

geekdom, abbodi86, Fred, Mr. Natural, AJNorth, jburk07, Microfix

Reply | Quote

Replies

KB4522007 has been added to AKB2000003 for Win7/8.1 for Group B (and whoever else needs it.)

1 user thanked author for this post.

woody

Reply | Quote

I haven’t patched my win7 machine used for streaming since installing May 2019 patches for Group B. Would installing the following in the order presented be suffice? Is there anything I should skip?

Jun 2019 KB 4503269
Jun 2019 KB 4508772
Jul 2019 KB 4507456 SKIP as it’s not security-only
Aug 2019 KB 4517297
Sep 2019 KB 4516033 SKIP as it’s not security-only
KB 4516655 and KB 4474419
Sep 2019 (IE11) KB 4522007

Reply | Quote

See AKB2000003 for direct Catalog downloads and notes.

Reply | Quote

As I said in Susan’s post, I’m skipping these new Win10 updates since they only deal with recent 0day issues with Internet Explorer and they will not be delivered thru Windows Update nor thru WSUS. These new patches are available in the MS Update Catalog site only [aka. Catalog Only downloads]

2 users thanked author for this post.

AJNorth, woody

Reply | Quote

A friendly reminder that if you do install the new IE 11 patch, that at least for Win 7 you should first install the latest SHA-2 (KB4474419) and SSU (KB4516655). That’s according to the MS support page here:

https://support.microsoft.com/en-us/help/4522007/cumulative-security-update-for-internet-explorer

This isn’t anything different from the September patches issued on Sept 10, so this is just a reminder.

3 users thanked author for this post.

jhvance, woody, jburk07

Reply | Quote

A workaround appears to have been added which disables jscript.dll (but not default jscript9.dll).

At least, I couldn’t see the workaround listed earlier in CVE-2019-1367 for the IE zero-day.

(Chatter says the Chinese government has been actively exploiting this flaw against their minorities.)

2 users thanked author for this post.

rc primak, woody

Reply | Quote

Mixed signals here, Win7 Pro x64. This post says no panic for the IE patch if IE isn’t used. The previous article by Susan indicates the vulnerability exists even if you don’t use IE. Grrr…

Was in no hurry for the monthly ordeal especially as this IE patch requires two latest Servicing Stack Updates first!!!

Group B but not doing the telemetry ones as the first of those took out my networking and required a full image and data restore from backup to get it back!

FWIW, twice in five years this has happened, but only due to MS updates…

Reply | Quote

“Mixed signals here, Win7 Pro x64. This post says no panic for the IE patch if IE isn’t used. The previous article by Susan indicates the vulnerability exists even if you don’t use IE. ”

I was wondering the exact same thing.  So is it safe to ignore this IE patch, or not?

 

 

 

Reply | Quote

Microsoft has been characteristically (and perhaps justifiably) silent on the subject.

At this point, all we know is that the patch is only available by manual download – and, to me, that means there’s no pressing need to install it now. The only info we have at this point describes an infection vector solely reliant on IE.

Let’s see if we find out any more today.

1 user thanked author for this post.

rc primak

Reply | Quote

woody wrote:

Microsoft has been characteristically (and perhaps justifiably) silent on the subject.

I think the problem is more potent than current explanations indicate.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

rc primak

Reply | Quote

? says:

so, does the Known Issue in this Security Update VBscript “Mitigation” preclude joining the lemmings at the cliff?

https://support.microsoft.com/en-us/help/4522007/cumulative-security-update-for-internet-explorer

Reply | Quote

It’s a quick check after patching to confirm whether VBscript is still disabled by default as recommended (or not).

I don’t see why that would affect anyone’s decision whether or not to install the IE jscript zero-day fix:

An update on disabling VBScript in Internet Explorer 11

1 user thanked author for this post.

rc primak

Reply | Quote

Unfortunately we still have some that use IE. I foresee a group policy change soon. We will likely force everyone over to Chrome. I know some of you shudder the thought but there is an .admx group policy file for Chrome. We have applied it in AD. You can manage just about any aspect of Chrome if you have the time to do so. 

Red Ruffnsore

Reply | Quote

? says:

right, i installed the August IE rollup KB4511872. i have always set the Internet>Security> to Medium High. so what am i missing?

Reply | Quote

Win 7×64,  MSE , I use IE for windows updates.  Normally my MSE updates itself or if I click update.  This time  it showed up in WU tonight instead of MSE.  I down loaded it . Seemed strange.  Might not have to do with the above.

Reply | Quote

The above was a failed update from earlier in the day for some reason.  Just ignore .

1 user thanked author for this post.

woody

Reply | Quote

[abbodi86]

It’s not the first time we get oob catalog-only updates, even Win10 CUs

v1903 already got release preview update
Cumulative Update for Windows 10 Version 1903 – KB4517211 (18362.385)

v1909 got it too, but it’s the same build anyway

• This reply was modified 5 years, 8 months ago by abbodi86.

1 user thanked author for this post.

woody

Reply | Quote

[EP]

unlike the KB4522016 update, the upcoming KB4517211 update should be available not only thru MS Update Catalog but also through windows update & WSUS as well – that one may be publicly released either by the end of this week or on Mon 9/30

• This reply was modified 5 years, 8 months ago by EP.

Reply | Quote

They could release it on Tuesday 10/01 and still label it 2019-09 update

1 user thanked author for this post.

geekdom

Reply | Quote

Heck, they could release it on New Year’s Eve and still call it a September update.

Reply | Quote

https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/known-issues

The following known issue will be resolved by installing the KB4517211 update, due to be released in late September 2019.

1 user thanked author for this post.

rc primak

Reply | Quote

? says:

abbodi86, does KB4522007 double check that the settings in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 and 4\140C  DWORD values are set to URL_Policy Diasllow 0x03? Zone 3 being Internet, and Zone 4 being Restricted Site Zone…

Reply | Quote

I don’t really know

but it would not be different from any other IE cumulative

Reply | Quote

? says:
more on the patch(es):
https://borncity.com/win/2019/09/24/windows-schwachstellen-in-ie-und-defender-23-9-2019/
and
https://www.ghacks.net/2019/09/24/microsoft-releases-emergency-internet-explorer-security-update/

2 users thanked author for this post.

rc primak, woody

Reply | Quote

It should be available to seekers today as well as WSUS

Reply | Quote

I see an update for 1511 the original version, what about machines on version 1607? (I know I really need to move onto a newer supported version…) Does it mean there’s nothing to be installed or should I try my luck at installing the one for version 1511?

Reply | Quote

4522009 is actually for 1507 (Enterprise 2015 LTSB)

4522010 for Win10 1607 and Server 2016

Reply | Quote

Thanks! I will install 4522010 tonight!

Reply | Quote

Downloaded both x64 and x86 versions of 1607, but was not able to install…it tells me that the update is not for my computer. Guess I have to finally move to a supported version of win10

Reply | Quote

As per Bleeping Computer article

Rather than downloading the patch, surely the MSFT workaround to mitigate the vuln seems a quicker way..IMO

For 32-bit systems, enter the following command at an administrative command prompt:

takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N

For 64-bit systems, enter the following command at an administrative command prompt:

takeown /f %windir%\syswow64\jscript.dll
cacls %windir%\syswow64\jscript.dll /E /P everyone:N
takeown /f %windir%\system32\jscript.dll
cacls %windir%\system32\jscript.dll /E /P everyone:N

just curious..

Windows - commercial by definition and now function...

1 user thanked author for this post.

jburk07

Reply | Quote

Microfix wrote:

Rather than downloading the patch, surely the MSFT workaround to mitigate the vuln seems a quicker way..IMO

Hence, why Microsoft’s haste to issue a patch immediately?

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

rc primak

Reply | Quote

Microfix said:
As per Bleeping Computer article

According to the same Bleeping Computer article:

CVE-2019-1367 can be exploited by potential attackers by redirecting their targets to a maliciously crafted website which would trigger a remote code execution attack if the victim uses a vulnerable version of Internet Explorer (i.e., 9, 10, and 11)

So only JScript.dll v9.0 (used by IE 9.0) & newer versions are vulnerable ? And IE 8.0 (with JScript.dll v5.8.x) is not vulnerable ?

Also, Microsoft .NET Framework uses the .NET implementation of JScript. There are several instances of Microsoft.JScript.dll on my Win 7 PC, which has .NET 2.0 & .NET 4.x.

Must these Microsoft.JScript.dll be disarmed as well using the takeown & cacls commands ?

Reply | Quote

The Win10 flavors are really large files that take awhile to download, and then a long time to install — seems to be rebuilding the app from its kernel, perhaps.  The Win7 version isn’t so large, but still takes awhile to install.

Reply | Quote

[Geo]

Group A, Win7X64,  home premium, AMD.  Took the 007 IE patch.  No problems.

• This reply was modified 5 years, 8 months ago by Geo.
• This reply was modified 5 years, 8 months ago by Geo.

Reply | Quote

[geekdom]

Windows 7 x64-systems

Two optional previews just showed in the Windows Update Queue

— 2019-09 Preview of Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1,4.7.2, 4.8 for Windows 7 and Server 2008 R2 for x64 (KB4516551)
https://support.microsoft.com/en-us/help/4516551/sep-19-2019-kb4516551

— 2019-09 Preview of Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4516048)
https://support.microsoft.com/en-us/help/4516048/windows-7-update-kb4516048

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

• This reply was modified 5 years, 8 months ago by geekdom.

Reply | Quote

Windows 7 sp1 64bit

Windows Update 09/24/2019

Important

KB4474419 was offered even though I already had it installed.  It installed again and now has today’s date as its installation date.

KB4516065 was offered and installed; no apparent problems.

Two .NET Framework updates are offered.  KB4514602 is checked.  KB4503548 is not checked.  I did not install either one today.

Optional

A Monthly Quality Rollup KB4516048 and a .NET Framework KB4516551.  Neither one is checked and I did not install.

There are a lot of KB numbers flying around this place.  Many I have never seen in my Windows Update.  Seems like Windows 10 and Windows 7 updates are all mixed together here.

Microsoft recommends that “Servicing stack update (SSU) (KB 4516655) or a later SSU update” be installed before the IE11 patch.  I have not been offered KB4516655 and do not find it in my installed updates.

Does anyone here know anything about KB4516655?  It is supposed to be necessary before installing  KB4522007, which I think is the IE11 patch.

HP Pavilion Desktop TP01-0050 – 64 bit
Windows 10 Home Version 22H2
OS build 19045.5608
Windows Defender and Windows Firewall
Microsoft Office Home and Business 2019
-Version 2502(Build 18526.20168 C2R)

Reply | Quote

KB4516655 is a Servicing Stack Update, which has to be installed exclusively (by itself). It will not show up in the Important Update queue in Windows Update if there are any other pending (checked or unchecked) updates.
If you install the updates you want to install, and hide any remaining ones, the SSU will appear. Or you can download it from the MS Catalog and manually install it.

KB4474419 and KB4516655 are required to install KB4522007

2 users thanked author for this post.

mpw, jburk07

Reply | Quote

Thank you.  Worked just as you said.

HP Pavilion Desktop TP01-0050 – 64 bit
Windows 10 Home Version 22H2
OS build 19045.5608
Windows Defender and Windows Firewall
Microsoft Office Home and Business 2019
-Version 2502(Build 18526.20168 C2R)

Reply | Quote