back to article Nine words to ruin your Monday: Emergency Internet Explorer patch amid in-the-wild attacks

Microsoft today issued a rare emergency security update for Internet Explorer to address a critical flaw in the browser that's being exploited right now in the wild. Redmond says the vulnerability, a scripting-engine memory-corruption bug designated CVE-2019-1367, can be abused by a malicious webpage or email to achieved …

  1. Tree
    Unhappy

    I this just a problem with Windows 10 or is it also present on Windows Hate

    I run Windows 7. Am I safe?

    1. Sandtitz Silver badge
      Facepalm

      Re: I this just a problem with Windows 10 or is it also present on Windows Hate

      The article has links to the the CVE articles where affected products are listed.

      Usually in web browsers, including in IE, the links are underlined and coloured, usually in blue. HTH.

    2. NoneSuch Silver badge
      Mushroom

      IE is the Issue

      Critical Security updates wouldn't be necessary if MS would let me uninstall their piece of garbage browser(s) from my OS.

      Time after time after time I have to patch my servers and workstations for software we don't use or even want on our machines.

      The frequency of these events is either terminal stupidity or the NSA paying off MS engineers to keep the flawed software in place.

      1. TheVogon Silver badge

        Re: IE is the Issue

        The default install for Windows Server doesn't have any web browser (or GUI). If you can't use powershell then all the GUI tools can be run remotely.

    3. Mark 85 Silver badge

      Re: I this just a problem with Windows 10 or is it also present on Windows Hate

      Apparently you aren't. Check your browser version. From the article:; The programming blunder is present in at least IE 9 to 11.

  2. Tree
    Unhappy

    Does this only affect Windows 10?

    I'm safe with Window 7 because I have the original serviceing stack!

    1. Gritpype Thynne

      Re: Does this only affect Windows 10?

      On the linked MS page, it lists Windows back to and including win 7, plus all servers back to 2008

  3. big_D Silver badge

    Not showing...

    on WSUS this morning.

    1. chivo243 Silver badge
      Thumb Up

      Re: Not showing...

      Correct you are, not on ours yet either...

    2. TiredNConfused80
      Coat

      Re: Not showing...

      Just came here to check if it was just us... (Icon as maybe the WSUS team left it in a coat pocket...)

    3. Alister Silver badge

      Re: Not showing...

      Also doesn't get offered if you manually check for updates - I've tried on Windows 10, Windows 7, Server 2016, Server 2012 R2 and Server 2008 R2 and none of them offer it.

      1. big_D Silver badge

        Re: Not showing...

        Yep. I just did a manual check on my laptop, which is outside of WSUS for test purposes and it didn't get offered the updates either.

    4. storner

      Re: Not showing...

      From the advisory linked to from the article:

      FAQ

      Will an updated Windows Update offline scan file, Wsusscn2.cab, with this new security update be available?

      No, an updated scan file will not be available until the next security release in October 2019.

  4. simonlb Silver badge
    Joke

    And nine words to make your day better

    Internet Explorer is a piece of shit. Uninstall now!

  5. Pascal Monett Silver badge

    Emergency ?

    Hardly. IE isn't even mentioned on StatCounter any more.

    At ease, everyone. Carry on with your normal lives.

    1. Mattjimf

      Re: Emergency ?

      Obviously doesn't count all the PoS sites in the NHS that only run on IE, with Java 6.4, iframes and flash

  6. Jimboom

    Microsoft Update Catalog only

    Just gone and checked it out and on all the KB's I have looked at it says not avaialble on Windows update/MS Update or WSUS. Only on Microsoft Update Catalog.

    1. hakuli
      Facepalm

      Re: Microsoft Update Catalog only

      Either someone at MS doesn't consider this quite as critical as they claim, otherwise it'd have hit WSUS, or they think people looking after vast swathes of W10 machines have nothing better to do with their time than install it.

      1. rmason

        Re: Microsoft Update Catalog only

        They're letting user space test it for WSUS customers.

        It'll be a while before it hits WSUS. just pull it in manually. Trivial to do.

        1. hakuli

          Re: Microsoft Update Catalog only

          I'd be more inclined to buy that if it was being pushed from Microsoft Update, but it's not. The only place its available, last time I checked, was the Update Catalog.

        2. Alister Silver badge
          Facepalm

          Re: Microsoft Update Catalog only

          just pull it in manually. Trivial to do.

          Yeah, all 1.4GB of it. Bloody idiots. If it's so urgent, why make it part of a massive download?

          Cumulative Update for Windows Server 2016 for x64-based Systems (KB4522010) 1420.6MB

  7. JimmyPage Silver badge
    Coat

    At this stage, I'd happily believe the exploit was actually coded by MS

    in a bid to remind us IE still exists

    1. Tom 7 Silver badge

      Re: At this stage, I'd happily believe the exploit was actually coded by MS

      I've managed to convince a lot of people that the patch is in fact another part of the hack.

  8. Anonymous Coward
    Anonymous Coward

    understatment of the century

    "Such flaws are not uncommon,"

    I don't know if you were trying to be funny but I certainly laughed out loud at this.

    This is why I tell people that the using Microsoft, formerly WIndows, Defender is the most recklessly stupid thing you can do after walking blindfolded across a multi-lane highway. Using AV written by the same professionals who wrote the original bugs is simply not smart.

    1. Tom Paine Silver badge

      Re: understatment of the century

      because...??

      1. Sandtitz Silver badge
        Thumb Up

        Re: understatment of the century

        "because...??"

        Because of Micro$oft of course, duh!

        "This is why I tell people that the using Microsoft, formerly WIndows, Defender is the most recklessly stupid thing you can do after"

        Empty barrels still make the most noise.

  9. mark l 2 Silver badge

    Its about time MS stopped providing IE by default on Windows 10 if less than 8% of all users are actually using it, it can be an optional download for those organisations that still require it.

    And if you do still need IE for some legacy websites that won't work with other browser, FFS lock it down so it can only access those sites and not be allowed to go out onto the rest of the internet.

    1. Captain Scarlet Silver badge

      Eh Edge has been default since 10 was released?

      I don't see an issue with IE still being there, simply because the moment anyone goes to Google they install Chrome because Google told em to.

  10. Anonymous Coward
    Anonymous Coward

    For those wondering about WSUS.....

    Q: How do I get the update for this issue?

    A: On Monday, September 23, 2019, the fix for this issue will be available via the Microsoft Update Catalog. On Tuesday, September 24, 2019, the update will be made available via Windows Update and WSUS as an optional update. You can get the update in Windows via Settings > Windows Update > Check for Updates.

    Q: Does this update require a reboot?

    A: Yes – this update will require a reboot.

    Q: Why is this update being offered as an optional update, and not offered automatically to all Windows clients and servers?

    A: Because this update requires a reboot, we are making it optional now to give users and administrators a choice to install/deploy the update. This update will be offered as an automatic update in the next monthly Update Tuesday release.

    Q: Where can I find the status of documented issues from previous Windows update releases?

    A: You can find the status of documented issues in the Known Issues section of the KB article for the respective update. The status of documented issues in previous Windows updates are also summarized in the Windows Release Information portal: https://docs.microsoft.com/windows/release-information/.

    (from a premier comms email)

    1. DJV Silver badge

      "On Monday, September 23, 2019, the fix for this issue will be available via the Microsoft Update Catalog. On Tuesday, September 24, 2019, the update will be made available via Windows Update and WSUS as an optional update. You can get the update in Windows via Settings > Windows Update > Check for Updates."

      It's the 25th and it STILL isn't available in Windows Update! So, I installed it manually...

  11. Blackjack

    So...

    Can you fully remove Internet Explorer from some versions of Windows?

    1. Anonymous Coward
      Anonymous Coward

      Re: So...

      Depends...

      https://en.wikipedia.org/wiki/Removal_of_Internet_Explorer

      1. Blackjack

        Re: So...

        "Removed" it from Windows 7, some files do remain and I am not sure if I should remove them by force or not since that might crash Windows 7.

        1. CrysTalK

          Re: So...

          If you remove [Internet Explorer] folder inside [Program Files], you will delete a system file named ieproxy.dll which is responsible for the Safely Remove Hardware option. Which means any USB pendrive or USB devices you live-insert cannot be safely removed. I too was perplexed as to why SAFELY REMOVE feature needs INTERNET EXPLORER to function properly.

          1. Blackjack

            Re: So...

            That's a legacy practice from the era of Windows 95 when Internet Explorer included system updates for Windows.

            Yeah I wish I was kidding.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020