![](\"https:\/\/images.idgesg.net\/images\/article\/2017\/09\/windows_patch_security14-100734743-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Mon, 30 Sep 2019 10:16:00 -0700<\/strong><\/p>\n So you think Windows 10 patching is getting better? Not if this month\u2019s Keystone Kops reenactment is an indicator.<\/p>\n In a fervent frenzy, well-meaning but ill-informed bloggers, international news outlets, even little TV stations, enjoyed a hearty round of \u201cThe Windows sky is falling!\u201d right after the local weather. It wasn\u2019t. It isn\u2019t \u2013 no matter what you may have read or heard.<\/p>\n Microsoft has a special way of telling folks how important its patches might be. Every individual security hole, listed by its CVE number<\/a>, has an \u201cExploitability Assessment\u201d consisting of:<\/p>\n There is also an indicator of how \u201clikely\u201d<\/a> it is for a given hole to become a problem with the current software release and\/or older versions.<\/p>\n It probably won\u2019t surprise you to know that the definitions of the terms are fluid, inexact, and very hard to nail down.<\/p>\n Security people tend to get excited when they see an \u201cExploited: Yes\u201d entry for a newly publicized security hole: Obviously, that particular bug needs to be fixed quickly because it\u2019s out there on the loose.<\/p>\n Except that isn\u2019t always the case, and it\u2019s becoming less and less pressing as time goes on. Why? Because most of the \u201cExploited: Yes\u201d zero-days are directed at a very, very narrow target population. Governments attacking governments. Big, shadowy criminal enterprises spearing high-profile targets. If you\u2019re protecting state secrets or billion-dollar projects, sure, you need to watch out for the zero-days, and right away. If you\u2019re a normal user, normal business, normal organization \u2013 not so much.<\/p>\n We saw that ambivalence in action this month. When Patch Tuesday arrived on Sept. 10, Microsoft listed two separate security holes as \u201cExploited: Yes\u201d \u2013 the holes identified as CVE-2019-1214<\/a> and CVE-2019-1215<\/a>. Security folks were tripping over themselves insisting that normal users needed to get both of those patches applied right away.<\/p>\n And then, without announcement or fanfare, sometime late on Sept 11 or early Sept. 12, Microsoft simply switched those two patches<\/a> from \u201cExploited: Yes\u201d to \u201cExploited: No.\u201d Few people noticed. The red flags had been thrown, the whistle blown, and those two patches remained Patching Public Enemy Nos. 1 and 2.<\/p>\n That brings me to this month\u2019s big, scary, exploited, emergency-patched IE security hole CVE-2019-1367<\/a>. In what may be the worst rollout in modern Windows patching history, Microsoft rolled all over itself.<\/p>\n Sept. 23:<\/strong> Microsoft released the CVE-2019-1367 bulletin, and published Win10 cumulative updates in the Microsoft Catalog for versions 1903, 1809, 1803, 1709, 1703, Server 2019 and Server 2016. It also released an IE rollup for Win7, 8.1, Server 2012 and Server 2012 R2. Those were only available by manual download from the Catalog \u2013 they didn\u2019t go out through Windows Update, or through the Update Server. Admins in charge of networks were going crazy because this \u201cExploited: Yes\u201d patch was out, but not in a form that they could readily push to all of their machines.<\/p>\n Sept. 24:<\/strong> Microsoft released \u201coptional, non-security\u201d cumulative updates<\/a> for Win10 version 1809, 1803, 1709, 1703, 1607\/Server 2016. Nothing for Win10 version 1903. We also got Monthly Rollup Previews for Win7 and 8.1. Microsoft didn\u2019t bother to mention it, but we found that those Previews include the IE zero-day patch as well. This bunch of patches went out through normal channels \u2013 Windows Update, Update Server \u2013 but they\u2019re \u201coptional\u201d and \u201cPreview,\u201d which means most savvy individuals and companies won\u2019t install them until they\u2019ve been tested.<\/p>\n Sept. 25:<\/strong> Microsoft \u201cclarified<\/a>\u201d its badly botched patching strategy:<\/p>\n Starting September 24, 2019, mitigation for this vulnerability is included as part of the 9C optional update, via Windows Update (WU) and Microsoft Update Catalog, for all supported versions of Windows 10, with the exception of Windows 10, version 1903 and Windows 10, version 1507 (LTSB).<\/p>\n It makes me wonder who was minding the store last week.<\/p>\n Sept. 26:<\/strong> Microsoft releases the \u201coptional, non-security\u201d patch for Win10 version 1903. It apparently includes the fix for this IE zero-day.<\/p>\n Sept. 30<\/strong>: As of early morning, Microsoft hasn\u2019t provided additional details about the security hole or the patch. If there are exploits in the wild, I don\u2019t know anyone who\u2019s seen them. We also don\u2019t know whether exploiting the security hole requires IE, or whether it can somehow be triggered without using the browser. The situation\u2019s so absurd that Patch Lady Susan Bradley says (paywalled<\/a>):<\/p>\n At this time, the IE exploits appear to be highly targeted and narrowly applied. But the company hasn’t clearly spelled out the extent of the threat \u2014 except indirectly by making the fix relatively difficult to get. So in what might be a first \u2014 and with some concern \u2014 I’m recommending skipping the still-optional zero-day IE patches, both the standalone updates and in the preview cumulative updates. I believe it’s safer to wait and ensure that the possible side effects are fully investigated.<\/p>\n We have three reported bugs<\/a> in the latest IE patches.<\/p>\n While September\u2019s most spectacular patching failure incorporates innovative new screw-ups, there are plenty of mundane problems as well:<\/p>\n There is<\/em> a bit of good news: In spite of initial reports<\/a> that a working exploit of the BlueKeep vulnerability has hit the fan, there still aren\u2019t any signs of an imminent major infection. We could use a little good news, eh?<\/p>\n Still and all, Win10 patching \u2013 Windows patching in general \u2013 isn\u2019t getting better. Of this I\u2019m sure.<\/p>\n Join us for free help and commiseration <\/em>on AskWoody.com<\/em><\/a><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Woody Leonhard| Date: Mon, 30 Sep 2019 10:16:00 -0700<\/strong><\/p>\n So you think Windows 10 patching is getting better? Not if this month\u2019s Keystone Kops reenactment is an indicator.<\/p>\n In a fervent frenzy, well-meaning but ill-informed bloggers, international news outlets, even little TV stations, enjoyed a hearty round of \u201cThe Windows sky is falling!\u201d right after the local weather. It wasn\u2019t. It isn\u2019t \u2013 no matter what you may have read or heard.<\/p>\n Microsoft has a special way of telling folks how important its patches might be. Every individual security hole, listed by its CVE number<\/a>, has an \u201cExploitability Assessment\u201d consisting of:<\/p>\n<\/p>\nThe fickle finger of zero-day fate<\/strong><\/h2>\n