![](\"https:\/\/images.idgesg.net\/images\/article\/2019\/06\/patch_and_update_options_pixelized_tools_and_refresh_symbol_with_branching_paths_by_pashaignatov_gettyimages-1152709304-100800559-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Tue, 24 Sep 2019 12:13:00 -0700<\/strong><\/p>\n I\u2019ve seen a lot of confusion about the security hole known as CVE-2019-1367 and what normal Windows customers should do about it. Part of the reason for the confusion is the way the fix was distributed \u2013 the patching files were released on Monday, Sept. 23, but only via manual download from the Microsoft Update Catalog.<\/span><\/p>\n On a Monday.<\/span><\/p>\n In the past few hours, Microsoft released a hodge-podge of patches that seem to tackle the problem. They\u2019re \u201coptional non-security\u201d and \u201cMonthly Rollup preview\u201d patches, so you won\u2019t get them unless you specifically go looking for them. <\/span><\/p>\n As a bit o’ lagniappe, if you use Windows Update to install the sky-is-falling IE patch, you\u2019ll get a bunch of additional marginally-tested patches along for the ride.<\/span><\/p>\n Here are the most important Win10 patches that appear to contain the IE\/CVE-2019-1367 fix:<\/span><\/p>\n I say \u201cappear to contain\u201d the fix because, as best I can tell, none of the documentation mentions CVE-2019-1367, the security hole that was fixed yesterday in an odd single-purpose cumulative update. These, too, are cumulative updates, but they’re specifically identified as “<\/span>non-security updates.”<\/span><\/p>\n Which is disingenuous, at best.\u00a0<\/span><\/p>\n Those patches are only available if you click \u201cCheck for updates.\u201d Microsoft would traditionally call them \u201coptional, non-security\u201d patches, but with the likely (if undocumented) presence of a separately identified out-of-band security patch, it\u2019s hard to say what to call them.\u00a0<\/span><\/p>\n We don\u2019t have a cumulative update for <\/span>Win10 1903<\/strong> just yet. We do, however, have a manually downloadable out-of-band patch for the IE problem in 1903, <\/span>KB 4522016<\/span><\/a>.<\/span><\/p>\n Over on the Windows 7\/8.1 side of the fence, it appears as if the CVE-2019-1367 fix is part and parcel of the two Monthly Rollup Previews just released:<\/span><\/p>\n There\u2019s no indication in the KB articles that either of these Previews fix the IE hole, but an independent check by AskWoody\u2019s @EP<\/a> shows that the Previews contain the latest IE file. That likely means the security hole has been plugged in the Previews.<\/span><\/p>\n At this point, I don\u2019t see why the Windows blogosphere has tied itself in knots warning about the IE\/CVE-2019-1367 security hole. Yes, Microsoft has said that it\u2019s been exploited in the wild. No, we don\u2019t have any more information. The folks who know aren\u2019t talking. The most credible story I\u2019ve seen involves a very targeted attack from the (reputedly) Korean group known as DarkHotel.<\/span><\/p>\n At any rate, for almost everybody, this appears to be yet another tempest in a teapot. My advice is to sit tight, don\u2019t update anything, and stop using Internet Explorer.<\/span><\/p>\n Unless you\u2019ve done something to make DarkHotel angry, of course.<\/span><\/p>\n Keep up with the latest on <\/span><\/i>AskWoody<\/span><\/i><\/a>.<\/span><\/i><\/p>\n