It’s not Patch Tuesday, but a new set of Critical vulnerability patches are now live for Windows. Our advice is usually to “patch now,” but because these flaws are being exploited in the wild, we recommend that you PATCH TODAY.
The two vulnerabilities target two different pieces of Windows: Internet Explorer (IE) 9, 10, and 11 browsers; and Windows Defender. However, the vulnerability for IE versions above 9 is much more severe and is being actively exploited in the wild.
Tracked under CVE-2019-1367, the IE 9, 10, and 11 vulnerability allows for malicious remote code execution, where a bad actor to run code under the same permissions as the current user. This type of exploit can be used for anything from deploying ransomware and stealing data to gain access to a corporate network. Unlike most remote code execution attacks that Microsoft patches, this one is also being used in the wild already to attack computers.
Here’s the worse news: this patch will not automatically update. To get it, you need to install it directly or use an Automox Worklet™ to check for the patch and apply it if missing.
On the Windows Defender side, CVE-2019-1255 tracks another Critical bug that could allow a bad actor to block legitimate computer operations when certain types of files are handled by Windows Defender. Steering around the details, as this attack is not thought to be exploited in the wild, the tactic is the same: patch it now.
It is incredibly rare for Windows to be patched out of band (not on Patch Tuesday). Take the hint from Microsoft when it’s offered, and get your systems patched.
Your Plan of Attack? Patch Now!
The most effective way to keep IE 9 and above and Windows Defender fully secure and up-to-date is to patch now and patch automatically. Applying patches for your operating systems and third party apps as soon as they become available is the best way to prevent an exploit.
For these vulnerabilities, regardless of how your policies are setup within the Automox console, you may need to take manual steps to ensure that they are patched. Why? Microsoft rightly chose patching over research, and did not yet assign full severity scores to these vulnerabilities. Once they are published, Automox will automatically show them in your environment.
Even more worrying, with the IE patch, you need to install manually. Using Automox Worklets, you can check your systems to see if they are up to date, and if not, patch them automatically. Here’s how.
Automox Worklet: To check for out-of-date IE 9+ versions and patch:
To check the status of your Windows systems, create a new Worklet. Because Windows offers unique patches for each OS version and hardware configuration, you will need one Worklet for each OS type in your organization.
In the Evaluation Code replace Your_KB_Number with the KB number specific to the OS version you need to install it on:
Evaluation Code:
#Define KB Number and check for presence. You need to enter the one specific to your OS version
############################################################################
$kbID = 'Your_KB_Number’
############################################################################
$installed = Get-Hotfix -Id $kbID -ErrorAction SilentlyContinue
if ( $installed ) {
#Compliant, so Exit 0 as success
Exit 0
} else {
#Non-Compliant, so Exit 1 as failure
Exit 1
}
Next, you need to upload the .msu file to the Worklet that is specific to your OS. This can be done underneath the remediation code block.
In the remediation code replace the .msu file specific to your OS with the full name of the .msu you need installed specific to your OS.
Remediation Code:
#Enter the name of the msu file you uploaded.
$fileName = "msu file specific to your OS"
#Launch the installer file and capture exit code to determine success
$installer = Start-Process -FilePath $fileName -ArgumentList "/quiet /passive /norestart" -Wait -PassThru
#Evaluate Exit Code for Success 0,1641,3010 are all considered successful
if ( $installer.ExitCode -in @('0','1641', '3010')) {
Exit 0
} else { Exit 1 }
You can repeat the same approach for any different Windows version, including Server or 7, and any specific hardware configurations, such as x32 or ARM. You will need to create Worklet for every Windows version present in your organization, and link these to every group of devices in Automox.
To patch Windows Defender, follow the normal process:
You can see which specific systems are impacted from the Software page (if enabled).
Log in to the console and click on the Software icon found in the left navigation pane. In the search box on the Software page, type the number of any Knowledge Base article or software title and hit enter.
Windows Defender works a bit differently than normal. While the tool itself auto-updates, you can force a definition update in Automox. Search for “Definition Update for Windows Defender” without the quotes and sort by date to show the latest. Devices lacking the newest patch will show on the right side, with an option to just patch them now.
You can also sort the list by severity level. If devices are impacted, you will see a list of all impacted devices and versions, as well as information on severity and the associated CVE. Because a severity score has not yet been assigned by Microsoft, one will not appear in Automox. Once it is available, Automox will automatically add it.
Automox can help ensure your systems are adequately patched in a timely manner in order to protect your organization against any vulnerability. As a best practice, you should always ensure that you have at least one patch policy assigned to all of your devices for Critical, Medium, and Low severity patches. These updates are generally Security and Cumulative software updates. Automox is designed to automate your response to zero-day vulnerabilities like this and others across the Windows, MacOS, and Linux operating systems.
Current Automox customers can create policies that automatically handle the patching and execution of important updates for you every single month. Alternatively, you may contact our support team for technical assistance at support@automox.com.
About Automox
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.
