Microsoft releases emergency Internet Explorer security update

Martin Brinkmann
Sep 24, 2019
Internet Explorer, Security
|
14

Microsoft released an out-of-band emergency security update for Internet Explorer on September 23, 2019 for all supported versions of Windows.

The emergency update is only available on the Microsoft Update Catalog website at the time of writing and not through Windows Update or WSUS.

Some support articles provide little information. The Windows 10 update description simply states "
Updates to improve security when using Internet Explorer" without going into further detail. The page links to the Security Update Guide which, after some digging, leads to the CVE of the vulnerability.

internet explorer security out of band

The support page for the cumulative update for Internet Explorer offers more information and a direct link to the CVE.

It states:

This security update resolves a vulnerability in Internet Explorer. A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could run arbitrary code in the context of the current user. The security update addresses the vulnerability by changing how the scripting engine handles objects in memory.

The same information is provided on the CVE page as well. Microsoft notes that an attacker could take control of the attacked system if the attack succeeds which would allow the attacker to install or remove programs, view, change or delete files, or create new user accounts.

The security issue is exploited actively according to Microsoft; an attacker could create a specifically prepared website to exploit the issue in Internet Explorer.

Microsoft published a workaround to protect systems if the released updates cannot be installed at this point. The workaround may reduce functionality "for components or features that rely on jscript.dll".

The commands need to be run from an elevated command prompt.

Workaround for 32-bit systems:

  • takeown /f %windir%\system32\jscript.dll
  • cacls %windir%\system32\jscript.dll /E /P everyone:N

Workaround for 64-bit systems:

  • takeown /f %windir%\syswow64\jscript.dll
  • cacls %windir%\syswow64\jscript.dll /E /P everyone:N
  • takeown /f %windir%\system32\jscript.dll
  • cacls %windir%\system32\jscript.dll /E /P everyone:N

The workaround can be undone by running the following commands from an elevated command prompt:

Undo 32-bit:

  • cacls %windir%\system32\jscript.dll /E /R everyone

Undo 64-bit

  • cacls %windir%\system32\jscript.dll /E /R everyone
  • cacls %windir%\syswow64\jscript.dll /E /R everyone

List of updates that fix the vulnerability:

What about Windows Updates?

Microsoft has not released the update via Windows Update or WSUS. Susan Bradley notes that the company could release the update on September 24, 2019 via Windows Update and WSUS but that has not been confirmed by Microsoft.

It is a bit puzzling that Microsoft releases an out-of-band security update that addresses an issue that is exploited in the wild but chooses to release it as an update that needs to be downloaded and installed manually only.

Closing Words

Should or should not you install the update right away? It is a security update but it is only available via the Microsoft Update Catalog website at the time of writing.

I still would recommend installing it but you should create a system backup, e.g. using Macrium Reflect or Paragon Backup & Recover Free, before you do so as one never knows these days updates introduce unwanted side effects or issues of their own.

Now You: install or wait, what is your position?

Summary
Microsoft releases emergency Internet Explorer security update
Article Name
Microsoft releases emergency Internet Explorer security update
Description
Microsoft released an out-of-band emergency security update for Internet Explorer on September 23, 2019 for all supported versions of Windows.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Udaya E said on September 28, 2019 at 3:27 pm
    Reply

    Did anyone facing printing issue after updating KB4522012? If yes, please let us know the details/resolution.

  2. Alex said on September 27, 2019 at 6:29 pm
    Reply

    Martin:

    The workarounds, which is at least part of what this update does, breaks:

    1. InstallShield’s start page
    2. GPEDIT start page

    By itself, that’s crazy bad.

    Revisit this. What MS is doing is aimed specifically in this case to trashing the webrowser control, without saying it, deprecating all classic VB apps, which whether they like it or not, or whether trolls who laugh that VB6 exists, does not negate that there are hundreds of thousands of apps and utilities that work perfectly today in a huge number of situations where there is no security risks (in-house tools and apps).

    It’s time to stop this. A stand has to be made that these updates are not just broken, they are intentionally breaking stuff.

  3. EP said on September 24, 2019 at 8:55 pm
    Reply

    hi Martin.

    these “emergency” IE security updates are pretty much moot as Microsoft has just released a new set of updates for most Windows 10 versions and new preview rollups for Win7 & 8.1 have also been made available thru windows update as Optional updates this Tuesday Sept. 24.

    woody has the details on his recent blog:
    https://www.askwoody.com/2019/heads-up-many-optional-non-security-updates-are-on-the-way/

  4. jern said on September 24, 2019 at 7:38 pm
    Reply

    Recently there have been complaints from users about Windows updates breaking and slowing computers, which could deter users from installing the updates. However, Gartner analyst Peter Firstbrook told CNN Business that users should go ahead with the updates because a blue screen is much easier to cleanup than an attack.

    https://www.cnn.com/2019/09/24/tech/microsoft-windows-security-threat/index.html

    LOL! Never complain that MS doesn’t give you a choice.

  5. Mark Hazard said on September 24, 2019 at 1:59 pm
    Reply

    I installed the patch and have had no problems with it. The rollup was only ~42Mb for Windows 8.1 64 bit. Better to be safe than sorry. I think that problems, if any, would be minor.

    1. Mark Hazard said on September 24, 2019 at 6:12 pm
      Reply

      I should add that I don’t use IE, but a quick test revealed no problems.
      The only problem with IE is that I can’t use an ad-blocker with it, which is very annoying.
      I used to use UBlock Origin with it, but now that is only for Windows 10.

      I

      1. Mateo Amatria said on September 24, 2019 at 7:43 pm
        Reply

        It is not the ideal solution, but you can enable Internet Explorer Tracking Protection.

        1. Go to “Tools,” click “Manage add-ons,” and in “Tracking Protection” click “enable.”

        2. Choose for IE to block or automatically block.

        3. Download a tracking protection list online. Click on “Get a tracking protection list online.”

        You can download the EasyList lists.

  6. chesscanoe said on September 24, 2019 at 1:27 pm
    Reply

    I run Microsoft Windows [Version 10.0.18362.356] and on 2019-09-23 I disabled WU for 7 days as the IE11 situation looks very uncertain at this time. I do not use IE11 but conceivably something else could….

    I use Windows Security (aka Defender) and it is important to manually update it by clicking on its Taskbar icon to resolve https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1255 . This brings Virus Definitions to 1.303.25.0, and the Scan Engine Version to 1.1.16400.2 per Belarc Advisor on 2019-09-24 11:15 UTC.

  7. ULBoom said on September 24, 2019 at 12:53 pm
    Reply

    I disabled IE long ago, so no concern here. This ostensible security fix is a 260 MB cumulative update that affects hundreds of files, changed 10 days ago, but the workaround above is only two to four commands.

    So critical it’s not pushed through Windows Updates and is suddenly important 10 days later? Huh?

    Do the workaround and ignore the CU seems the right approach if you’re still using IE.

    Adding to owl’s comments, Patch Lady, too, is baffled by the hoopla:
    https://www.askwoody.com/2019/patch-lady-we-have-an-out-of-band-release/

    I bet it gets pulled.

  8. Alex said on September 24, 2019 at 12:23 pm
    Reply

    KB4522016 on 1903 is not just the IE security patch, it’s 260MB and on my PC it resulted in, ta-da! – broken search, broken notifications center. Had to remove it.

    Really, a security fix should not come with all the BS that isn’t related.

  9. 420 said on September 24, 2019 at 9:20 am
    Reply

    I stopped puzzling over microsofts stupidity a long time ago.

  10. owl said on September 24, 2019 at 8:34 am
    Reply

    Immediately, I performed an audit of the system using Belarc Advisor.
    The result is “No vulnerabilities found in the system. No patch needed”

    And, the view of “AskWoody” is:
    https://www.askwoody.com/2019/more-on-the-unexpected-manual-install-only-win10-cumulative-updates-and-ie-patch/
    ● It’s NOT a Windows patch.
    ● It’s been found in the wild, and it can be very nasty.
    ● If you don’t use Internet Explorer, you can safely ignore all of the hoopla. If you do use IE, rap yourself on the knuckles, click on those links and go diving for the update: You’ll only get it if you manually download and install it.
    ● At the same time, Microsoft released a notification of another security hole, CVE-2019-1255, that can conceivably be used to block Windows Defender updates. There’s no separate patch. You don’t need to worry about installing the fix, because Defender will patch itself.

    1. owl said on September 24, 2019 at 8:38 am
      Reply

      Postscript,
      The view of “AskWoody” is:
      MS-DEFCON 2:
      Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

      1. ilev said on September 24, 2019 at 6:53 pm
        Reply

        @owl
        This patch defeat MS-DEFCON 2. Everyone is using IE on Windows as IE in embedded in Windows Explorer.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.