Microsoft set the patching world on its ear on Monday when it released an "out of band" patch to fix a vulnerability known as CVE-2019-1367. Susan Bradley raised the alarm immediately. I chimed in a few hours later with more details.
Then, yesterday (Tuesday), Microsoft dumped its usual big bunch of "optional, non-security" Win10 patches and "Monthly Rollup Previews" which — we finally figured out — include the fix for CVE-2019-1367. I wrote about that in Computerworld.
Microsoft's official description of CVE-2019-1367 sounds like a zillion other descriptions:
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.
The part that caught everyone's attention, though, was this one little entry in the description:
That "Exploited: Yes" notation — and the fact that the patches were released on a Monday — set the Windows blogosphere into a meltdown. You’ve read the story: Microsoft says it’s exploited, so you better get patched right away! The sky is falling!
What a crock. But the story sure drew a lot of clicks. A clickety crock.
Usually when Microsoft says a security hole has been "exploited" it means that some political group is using it to infiltrate another political group (or high-profile business) in very specific, targeted attacks. Microsoft has to worry about stuff like that. You don't.
In fact, when Microsoft released its original bunch of September patches a couple of weeks ago, it identified two of them — CVE-2019-1214 and CVE-2019-1215 — as “Exploited: Yes.” A few days later, very quietly, Microsoft turned both of them to “Exploited: No.”
Some security folks get worked up about “Exploited: Yes.” Those of us who have been working with Microsoft patches for a while know that, even if a security hole is exploited, there’s frequently no reason for the average Windows customer to quake in their boots.
That said, there are some times when an exploited vulnerability warrants your immediate attention. But those cases are very few and far between.
I’ve been on a quest to see if there are any openly reported exploits that use this week’s bugaboo, CVE-2019-1367. So far I’ve come up with nothing. The people who know aren’t talking. The closest I’ve come is a little tweet from Costin Raiu, who works at Kaspersky:
Recently patched IE 0day (CVE-2019-1367) was used by DarkHotel, does not seem related to ongoing discussions re iOS/Android attacks.
That rings true, at least to my ear. (Cyware describes DarkHotel as “a North Korea-linked threat actor group that has been active since at least 2007”). If there are any attacks out in the open, I sure can’t find them.
Quite frankly, I don’t see anything about CVE-2019-1367 that makes it any different from dozens of other 0days out there. We seem to hit one or two in the Windows patching game every month.
So why the horrendously sloppy reaction from Microsoft? Why did we get single-purpose manual-install-only patches on Monday, followed by “optional non-security” updates (which clearly include security patches) and Monthly Rollup Previews (with undocumented security patches) on Tuesday?
I don’t know. But it certainly set the patching world topsy-turvy.
Make no mistake. This isn’t your grandfather’s out-of-band patch. Usually out-of-band patches tend to be orderly, released for all versions of Windows at once, highly publicized, and available through the various update services. This series of patches looks more like a Keystone Kops attack.
Do you think that Microsoft’s cleaned up its Windows patching mess?