Microsoft releases emergency Internet Explorer security update

Microsoft released an out-of-band emergency security update for Internet Explorer on September 23, 2019 for all supported versions of Windows.
The emergency update is only available on the Microsoft Update Catalog website at the time of writing and not through Windows Update or WSUS.
Some support articles provide little information. The Windows 10 update description simply states "
Updates to improve security when using Internet Explorer" without going into further detail. The page links to the Security Update Guide which, after some digging, leads to the CVE of the vulnerability.
The support page for the cumulative update for Internet Explorer offers more information and a direct link to the CVE.
It states:
This security update resolves a vulnerability in Internet Explorer. A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could run arbitrary code in the context of the current user. The security update addresses the vulnerability by changing how the scripting engine handles objects in memory.
The same information is provided on the CVE page as well. Microsoft notes that an attacker could take control of the attacked system if the attack succeeds which would allow the attacker to install or remove programs, view, change or delete files, or create new user accounts.
The security issue is exploited actively according to Microsoft; an attacker could create a specifically prepared website to exploit the issue in Internet Explorer.
Microsoft published a workaround to protect systems if the released updates cannot be installed at this point. The workaround may reduce functionality "for components or features that rely on jscript.dll".
The commands need to be run from an elevated command prompt.
Workaround for 32-bit systems:
- takeown /f %windir%\system32\jscript.dll
- cacls %windir%\system32\jscript.dll /E /P everyone:N
Workaround for 64-bit systems:
- takeown /f %windir%\syswow64\jscript.dll
- cacls %windir%\syswow64\jscript.dll /E /P everyone:N
- takeown /f %windir%\system32\jscript.dll
- cacls %windir%\system32\jscript.dll /E /P everyone:N
The workaround can be undone by running the following commands from an elevated command prompt:
Undo 32-bit:
- cacls %windir%\system32\jscript.dll /E /R everyone
Undo 64-bit
- cacls %windir%\system32\jscript.dll /E /R everyone
- cacls %windir%\syswow64\jscript.dll /E /R everyone
List of updates that fix the vulnerability:
- Windows 10 version 1903: KB4522016Â
- Windows 10 version 1809 and Server 2019: KB4522015Â
- Windows 10 version 1803: KB4522014Â
- Windows 10 version 1709: KB4522012Â
- Windows 10 version 1703: KB4522011Â
- Windows 10 version 1607 and Server 2016: KB4522010
- Cumulative IE update for older versions of Windows: KB4522007
What about Windows Updates?
Microsoft has not released the update via Windows Update or WSUS. Susan Bradley notes that the company could release the update on September 24, 2019 via Windows Update and WSUS but that has not been confirmed by Microsoft.
It is a bit puzzling that Microsoft releases an out-of-band security update that addresses an issue that is exploited in the wild but chooses to release it as an update that needs to be downloaded and installed manually only.
Closing Words
Should or should not you install the update right away? It is a security update but it is only available via the Microsoft Update Catalog website at the time of writing.
I still would recommend installing it but you should create a system backup, e.g. using Macrium Reflect or Paragon Backup & Recover Free, before you do so as one never knows these days updates introduce unwanted side effects or issues of their own.
Now You: install or wait, what is your position?


Did anyone facing printing issue after updating KB4522012? If yes, please let us know the details/resolution.
Martin:
The workarounds, which is at least part of what this update does, breaks:
1. InstallShield’s start page
2. GPEDIT start page
By itself, that’s crazy bad.
Revisit this. What MS is doing is aimed specifically in this case to trashing the webrowser control, without saying it, deprecating all classic VB apps, which whether they like it or not, or whether trolls who laugh that VB6 exists, does not negate that there are hundreds of thousands of apps and utilities that work perfectly today in a huge number of situations where there is no security risks (in-house tools and apps).
It’s time to stop this. A stand has to be made that these updates are not just broken, they are intentionally breaking stuff.
hi Martin.
these “emergency” IE security updates are pretty much moot as Microsoft has just released a new set of updates for most Windows 10 versions and new preview rollups for Win7 & 8.1 have also been made available thru windows update as Optional updates this Tuesday Sept. 24.
woody has the details on his recent blog:
https://www.askwoody.com/2019/heads-up-many-optional-non-security-updates-are-on-the-way/
Recently there have been complaints from users about Windows updates breaking and slowing computers, which could deter users from installing the updates. However, Gartner analyst Peter Firstbrook told CNN Business that users should go ahead with the updates because a blue screen is much easier to cleanup than an attack.
https://www.cnn.com/2019/09/24/tech/microsoft-windows-security-threat/index.html
LOL! Never complain that MS doesn’t give you a choice.
I installed the patch and have had no problems with it. The rollup was only ~42Mb for Windows 8.1 64 bit. Better to be safe than sorry. I think that problems, if any, would be minor.
I should add that I don’t use IE, but a quick test revealed no problems.
The only problem with IE is that I can’t use an ad-blocker with it, which is very annoying.
I used to use UBlock Origin with it, but now that is only for Windows 10.
I
It is not the ideal solution, but you can enable Internet Explorer Tracking Protection.
1. Go to “Tools,” click “Manage add-ons,” and in “Tracking Protection” click “enable.”
2. Choose for IE to block or automatically block.
3. Download a tracking protection list online. Click on “Get a tracking protection list online.”
You can download the EasyList lists.
I run Microsoft Windows [Version 10.0.18362.356] and on 2019-09-23 I disabled WU for 7 days as the IE11 situation looks very uncertain at this time. I do not use IE11 but conceivably something else could….
I use Windows Security (aka Defender) and it is important to manually update it by clicking on its Taskbar icon to resolve https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1255 . This brings Virus Definitions to 1.303.25.0, and the Scan Engine Version to 1.1.16400.2 per Belarc Advisor on 2019-09-24 11:15 UTC.
I disabled IE long ago, so no concern here. This ostensible security fix is a 260 MB cumulative update that affects hundreds of files, changed 10 days ago, but the workaround above is only two to four commands.
So critical it’s not pushed through Windows Updates and is suddenly important 10 days later? Huh?
Do the workaround and ignore the CU seems the right approach if you’re still using IE.
Adding to owl’s comments, Patch Lady, too, is baffled by the hoopla:
https://www.askwoody.com/2019/patch-lady-we-have-an-out-of-band-release/
I bet it gets pulled.
KB4522016 on 1903 is not just the IE security patch, it’s 260MB and on my PC it resulted in, ta-da! – broken search, broken notifications center. Had to remove it.
Really, a security fix should not come with all the BS that isn’t related.
I stopped puzzling over microsofts stupidity a long time ago.
Immediately, I performed an audit of the system using Belarc Advisor.
The result is “No vulnerabilities found in the system. No patch neededâ€
And, the view of “AskWoody” is:
https://www.askwoody.com/2019/more-on-the-unexpected-manual-install-only-win10-cumulative-updates-and-ie-patch/
◠It’s NOT a Windows patch.
◠It’s been found in the wild, and it can be very nasty.
◠If you don’t use Internet Explorer, you can safely ignore all of the hoopla. If you do use IE, rap yourself on the knuckles, click on those links and go diving for the update: You’ll only get it if you manually download and install it.
◠At the same time, Microsoft released a notification of another security hole, CVE-2019-1255, that can conceivably be used to block Windows Defender updates. There’s no separate patch. You don’t need to worry about installing the fix, because Defender will patch itself.
Postscript,
The view of “AskWoody†is:
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.
@owl
This patch defeat MS-DEFCON 2. Everyone is using IE on Windows as IE in embedded in Windows Explorer.