Microsoft releases even more patches for the CVE-2019-1367 IE zero-day, and the bugs are having a field day

Credit to Author: Woody Leonhard| Date: Fri, 04 Oct 2019 06:49:00 -0700

You may recall the Keystone Kops reenactment that goes by the code name CVE-2019-1367. In short:

Sept. 23: Microsoft released the CVE-2019-1367 bulletin, and published Win10 cumulative updates in the Microsoft Catalog for versions 1903, 1809, 1803, 1709, 1703, Server 2019 and Server 2016. It also released an IE rollup for Win7, 8.1, Server 2012 and Server 2012 R2. Those were only available by manual download from the Catalog — they didn’t go out through Windows Update, or through the Update Server. 

Sept. 24: Microsoft released “optional, non-security” cumulative updates for Win10 version 1809, 1803, 1709, 1703, 1607/Server 2016. Nothing for Win10 version 1903. We also got Monthly Rollup Previews for Win7 and 8.1. Microsoft didn’t bother to mention it, but we found that those Previews include the IE zero-day patch as well. This bunch of patches went out through normal channels — Windows Update, Update Server — but they’re “optional” and “Preview,” which means most savvy individuals and companies won’t install them until they’ve been tested.

Sept. 25: Microsoft “clarified” its badly botched patching strategy:

Starting September 24, 2019, mitigation for this vulnerability is included as part of the 9C optional update [Microsoft-speak for the third cumulative update in September—WL], via Windows Update (WU) and Microsoft Update Catalog, for all supported versions of Windows 10, with the exception of Windows 10, version 1903 and Windows 10, version 1507 (LTSB).

Sept. 26: Microsoft releases the “optional, non-security” patch for Win10 version 1903. It apparently includes the fix for this IE zero-day.

Oct. 3: Out of the blue, Microsoft releases a full set of honest-to-goodness Cumulative Updates and Monthly Rollups for all versions of Windows:

As well as all earlier versions of Win10, including Servers. We also got Monthly Rollups (not Previews, mind you, but genuine Rollups):

As well as a new cumulative update for IE9/IE10/IE11, KB 4524135

Oddly, there doesn’t appear to be a concomitant update for Server 2008 R2.

One wag says that they’re just re-issued patches, to fix the bugs introduced in the first two rounds of patches. That may be the unvarnished truth. Here’s what the KB articles all say:

This is a required security update that expands the out-of-band update dated September 23, 2019. This security update includes the Internet Explorer scripting engine security vulnerability (CVE-2019-1367) mitigation and corrects a recent printing issue some users have experienced. Customers using Windows Update or Windows Server Update Services (WSUS) will be offered this update automatically. To help secure your devices, we recommend that you install this update as soon as a possible and restart your PC to fully apply the mitigations. Like all cumulative updates, this update supersedes any preceding update.

Note This update does not replace the upcoming October 2019 monthly update, which is scheduled to release on October 8, 2019.

Microsoft may call its two earlier failed attempts “out-of-band updates” but that glosses over the fact that they were very poorly assembled, full of bugs, and they weren’t real out-of-band updates because they weren’t pushed to everybody. In fact, they were particularly hard to locate and install.

This, however, is a for-real out-of-band security update. That puts an entirely different face on what was a complete farce.

Continuing with the official explanation:

This security update includes quality improvements. Key changes include:

Addresses an intermittent issue with the print spooler service that may cause print jobs to fail. Some apps may close or generate errors, such as the remote procedure call (RPC) error.

Addresses an issue that may result in an error when you install Features On Demand (FOD), such as .Net 3.5. The error is, “The changes couldn’t be complete. Please reboot your computer and try again. Error code: 0x800f0950.”

Which addresses two of the bugs I talked about earlier this week. At least it fixes the .NET 3.5 installation bug.

Although the new, new patches have only been out for about 18 hours, as of this writing, I’m seeing reports from many corners about bugs. Most prominently, the printing bug hasn’t been fixed.

Günter Born has a rundown

Over on Tenforums, Hewjr100 says:

Did not work for me. When I print with LibreOffice and/or notepad, both apps close immediately. Using HP 8740 Pro. … Update: Opening an existing LibreOffice document, causes LibreOffice to crash. 

We have many reports of problems on AskWoody, e.g., edmondnazarian says:

HP printer issue still exists! I can’t print anything using my HP 6978 printer after installing KB4524147. “Microsoft is not currently aware of any issues”? Interesting.

Cogx posts:

Not just HP for us, but Ricoh printers are causing us fits now too.  In one such case, installed today’s (10/3/19) update (for Windows 8.1) and it didn’t fix the application crashing when trying to print to that particular Ricoh.  It’s not the spooler crashing, it is the application trying to print to that particular Ricoh USB connected printer (Word, Chrome, etc.) The user’s other printer (network printer, also a copier Ricoh model) works and the Adobe PDF printer driver works.

I know we scream about a lot of buggy patches, but the truth is, with the ~450 computers I directly support, and the three thousand more where I work, we rarely run into the “known issues” from various MS patches.  The last one I can recall was a bad MS AV update. Every year or two a screwy Word or Excel patch will get us. But, now they have really gone and done it, breaking printing is like the number one cardinal sin where I work.  Printing is all anyone cares about.

There’s an anonymous post that warns:

After KB4524147 I get a warning in Event Viewer every time I open Google Chrome (Event ID 10016 — DistributedCOM).

Then there’s a problem with legacy JScript programs reported by rozmansi:

The KB4524135 [the IE-specific patch] and KB4524156 [the Win8.1 patch] installed on our Windows Server 2012R2 over the night and all JScript legacy ASP websites broke: heap corruption, unknown variable values, garbage in error responses. Event log was full of “Error: File /index.asp Unexpected error. A trappable error (C0000005) occurred in an external object. The script cannot continue running..” messages. Clicking refresh on any website gave a couple of successful responses, followed by a 500 Internal Server Error, and again some sucessful responses…

VBScript pages were unaffected.  Uninstalling both updates made websites stable again. JScript.dll broken?

But that’s not all … I’m seeing multiple reports of the Start menu getting hosed by the new patches. Reddit poster pyork211099 says:

Broke my Start Menu immediately. … It gives me critical error when i click start menu button. … StartMenuExperienceHost.exe not running. Nor is ShellExperienceHost.exe, actually. All users that log in, multiple computers, Domain joined.

We’ve tried to replicate the problem on AskWoody, with no luck so far.

And then this morning, when I installed the patches on my test machines, I saw yet another bug. In the Microsoft Update Catalog, these new patches are identified as, e.g., 

2019-10 Cumulative Update for Windows 10 Version 1903 for x64-based Systems (KB4524147) 

But in the Windows Update dialog (screenshot) they’re identified as 

2019-09 Cumulative Update for Windows 10 Version 1903 for x64-based Systems (KB4524147) 

Even the well-considered, 10-day-old, genuine “out-of-band” patch has irritating internal fit-and-finish problems. 

Hard to say. 

Microsoft hasn’t provided additional details about the security hole or the patch. If there are exploits in the wild, I don’t know anyone who’s seen them. We also don’t know whether exploiting the security hole requires IE, or whether it can somehow be triggered without using the browser. 

We do have one new piece of information. This from the bottom of Microsoft’s CVE-2019-1367 advisory, explaining the latest releases:

Version 2.0 — 10/03/2019 — To address a known printing issue customers might experience after installing the Security Updates or IE Cumulative updates that were released on September 23, 2019 for CVE-2019-1367, Microsoft is releasing new Security Updates, IE Cumulative Updates, and Monthly Rollup updates for all applicable installations of Internet Explorer 9, 10, or 11 on Microsoft Windows.

Is it possible that Microsoft changed from a lackadaisical hodge-podge of manual patches to a real, coordinated out-of-band update, just to fix printer bugs? 

Those of you controlling many machines should prepare to install yesterday’s patches, knowing full well that you may be clobbering a lot of printers in the process. For individual Windows customers, I say wait for now. 

Stay tuned.

Have you patched? Intentionally? Let us know what happened on AskWoody.com.

http://www.computerworld.com/category/security/index.rss

Leave a Reply