![](\"https:\/\/images.techhive.com\/images\/article\/2016\/03\/questions_analytics-100650053-primary.idge.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Wed, 25 Sep 2019 07:29:00 -0700<\/strong><\/p>\n Microsoft set the patching world on its ear on Monday when it released an “out of band” patch to fix a vulnerability known as CVE-2019-1367. Susan Bradley<\/span> raised the alarm<\/span><\/a> immediately. I chimed in<\/span> a few hours later<\/span><\/a> with more details.<\/span><\/p>\n Then, yesterday (Tuesday), Microsoft dumped its usual big bunch of “optional, non-security” Win10 patches and “Monthly Rollup Previews” which\u00a0\u2014 we finally figured out\u00a0\u2014 include the fix for CVE-2019-1367. I wrote about that<\/span> in Computerworld<\/em><\/span><\/a>.<\/span><\/p>\n Microsoft’s official description of<\/span> CVE-2019-1367<\/span><\/a> sounds like a zillion other descriptions:<\/span><\/p>\n A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.<\/span><\/p>\n The part that caught everyone’s attention, though, was this one little entry in the description:<\/span><\/p>\n That “Exploited: Yes” notation \u2014 and the fact that the patches were released on a Monday\u00a0\u2014 set the Windows blogosphere into a meltdown. You\u2019ve read the story: Microsoft says it\u2019s exploited, so you better get patched right away! The sky is falling!\u00a0<\/span><\/p>\n What a crock. But the story sure drew a lot of clicks. A clickety crock.<\/span><\/p>\n Usually when Microsoft says a security hole has been “exploited” it means that some political group is using it to infiltrate another political group (or high-profile business) in very specific, targeted attacks. Microsoft has to worry about stuff like that. You don’t.<\/span><\/p>\n In fact, when Microsoft released its original bunch of September patches a couple of weeks ago, it identified two of them\u00a0\u2014\u00a0<\/span>CVE-2019-1214<\/span><\/a> and <\/span>CVE-2019-1215<\/span><\/a>\u00a0\u2014 as \u201cExploited: Yes.\u201d A few days later, very quietly, Microsoft turned both of them to \u201cExploited: No.\u201d\u00a0<\/span><\/p>\n Some security folks get worked up about \u201cExploited: Yes.\u201d Those of us who have been working with Microsoft patches for a while know that, even if a security hole is exploited, there\u2019s frequently no reason for the average Windows customer to quake in their boots.<\/span><\/p>\n That said, there <\/span>are <\/i><\/strong>some times when an exploited vulnerability warrants your immediate attention. But those cases are very few and far between.<\/span><\/p>\n I\u2019ve been on a quest to see if there are any openly reported exploits that use this week\u2019s bugaboo, CVE-2019-1367. So far I\u2019ve come up with nothing. The people who know aren\u2019t talking. The closest I\u2019ve come is a <\/span>little tweet<\/span><\/a> from Costin Raiu, who works at Kaspersky:<\/span><\/p>\n Recently patched IE 0day (CVE-2019-1367) was used by DarkHotel, does not seem related to ongoing discussions re iOS\/Android attacks.<\/span><\/p>\n That rings true, at least to my ear. (<\/span>Cyware describes<\/span><\/a> DarkHotel as \u201ca North Korea-linked threat actor group that has been active since at least 2007\u201d). If there are any attacks out in the open, I sure can\u2019t find them.<\/span><\/p>\n Quite frankly, I don\u2019t see anything about CVE-2019-1367 that makes it any different from dozens of other 0days out there. We seem to hit one or two in the Windows patching game every month.<\/span><\/p>\n So why the horrendously sloppy reaction from Microsoft?\u00a0 Why did we get single-purpose manual-install-only patches on Monday, followed by \u201coptional non-security\u201d updates (which clearly include security patches) and Monthly Rollup Previews (with undocumented security patches) on Tuesday?<\/span><\/p>\n I don\u2019t know. But it certainly set the patching world topsy-turvy.\u00a0<\/span><\/p>\n Make no mistake. This isn\u2019t your grandfather\u2019s out-of-band patch. Usually out-of-band patches tend to be orderly, released for all versions of Windows at once, highly publicized, and available through the various update services. This series of patches looks more like a Keystone Kops attack.<\/span><\/p>\n Do <\/span>you <\/i><\/strong>think that Microsoft\u2019s cleaned up its Windows patching mess?<\/span><\/p>\n Let me know <\/span><\/i>on AskWoody.com<\/span><\/i><\/a>.<\/span><\/i><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Woody Leonhard| Date: Wed, 25 Sep 2019 07:29:00 -0700<\/strong><\/p>\n Microsoft set the patching world on its ear on Monday when it released an “out of band” patch to fix a vulnerability known as CVE-2019-1367. Susan Bradley<\/span> raised the alarm<\/span><\/a> immediately. I chimed in<\/span> a few hours later<\/span><\/a> with more details.<\/span><\/p>\n<\/p>\n