Automox Worklet: Internet Explorer 11 "One-Click" Remediation for Windows

Microsoft announced it has released the Internet Explorer (IE) zero-day patch via Windows Update. We addressed the zero-day vulnerability that is tracked under CVE-2019-1367 in a recent blog post. This vulnerability allows for malicious remote code execution, where a bad actor can run code under the same permissions as the current user.

Initially, Microsoft released the out-of-band patch on the Microsoft Update Catalog, requiring users to manually download this patch. Now, this patch is actively available through Windows Update and Windows Server Update Services (WSUS) to distribute it more widely to end users.

With this patch release, you should be set to run your policies to make the necessary IE updates. However, if your policy update window is far out, we can help you make those updates quickly using Automox Worklets.

Automox Worklets to Patch Out-of-Date Internet Explorer versions

In our earlier blog post, we documented an Automox Worklet that allows you to quickly and effectively remediate a group of devices and ensure they are patched against this vulnerability. However, with so many different KBs for each Windows OS version in both 32- and 64-bit processors, it can be especially time consuming to remediate all of the different endpoints that you manage within your infrastructure.

Below we share an IE11 “one-click” remediation Worklet that remediates all of your Windows devices no matter the OS version or processor. This Automox Worklet evaluates the Windows OS version and the processor to determine which .msu file is needed to install the respected KB. Once the .msu file is determined then it will automatically download the file and install it on the device. 

Currently, this Worklet only works for the IE11. You must use the previous Worklet shown here to remediate IE9 and IE10.

Automox Worklet: To check for out-of-date IE 11 versions and patch

1. Copy the evaluation and remediation code just like it’s written below. Do not change any value, as it will work as written. 

2. In the Automox console under Worklet, paste the evaluation and remediation code into your orgs.

Evaluation:

#Define KB Number and check for presence

#64-bit AND 32-bit KBs

$kbID1903 = 'KB4522016'

$kbID1809 = 'KB4522015'

$kbID1803 = 'KB4522014'

$kbID1709 = 'KB4522012'

$kbID1703 = 'KB4522011'

$kbID1607 = 'KB4522010'

$kbID1507 = 'KB4522009'

$kbIDwin7881 = 'KB4522007'
 
#command to check if the KB exists on the device

$installed1 = Get-Hotfix -Id $kbID1903 -ErrorAction SilentlyContinue

$installed2 = Get-Hotfix -Id $kbID1809 -ErrorAction SilentlyContinue

$installed3 = Get-Hotfix -Id $kbID1803 -ErrorAction SilentlyContinue

$installed4 = Get-Hotfix -Id $kbID1709 -ErrorAction SilentlyContinue

$installed5 = Get-Hotfix -Id $kbID1703 -ErrorAction SilentlyContinue

$installed6 = Get-Hotfix -Id $kbID1607 -ErrorAction SilentlyContinue

$installed7 = Get-Hotfix -Id $kbID1507 -ErrorAction SilentlyContinue

$installed8 = Get-Hotfix -Id $kbIDwin7881 -ErrorAction SilentlyContinue
 
if ( $installed1 -Or $installed2 -Or $installed3 -Or $installed4 -Or $installed5 -Or $installed6 -Or $installed7 -Or $installed8 ) {

    #Compliant, so Exit 0 as success

    exit 0

} else {

    #Non-Compliant, so Exit 1 as failure

    exit 1

}
 

Remediation:

#OS version and architecture evaluation to determine which command to run 
$osversion = (get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId
$windowsminor = [environment]::OSVersion.Version.Minor
$osarch = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
 
$proxy = [System.Net.WebRequest]::GetSystemWebProxy()
$proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials
$web = New-Object Net.WebClient
$web.proxy = $proxy


#determine wusa.exe location to install properly on both 32-bit or 64-bit systems
if ((Test-Path $env:systemroot\SysWOW64\wusa.exe)){
  $Wus = "$env:systemroot\SysWOW64\wusa.exe"
}
else {
  $Wus = "$env:systemroot\System32\wusa.exe"
  }
 
#64-bit .msu files
$url1903 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522016-x64_c348c949121cdc6c4defacee70d6060ebb0d8442.msu"
$url1809 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522015-x64_f6f70d26b160c2f784c757b712c3762ea735c5f2.msu"
$url1803 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522014-x64_1bd1ff45b207e0711fac3cf2d19bdc25652d4239.msu"
$url1709 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522012-x64_923e05c66f40cc132b8fe5c3101b27db3c17661e.msu"
$url1703 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522011-x64_c47d5bec40fa29c95d0564b07c03a70a3886fafd.msu"
$url1607 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522010-x64_1b49068c61469a4680733c9f1ddee5f1c17ab499.msu"
$url1507 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522009-x64_61f3697a30c71a3ee5fb0768db03e7d85ca2e769.msu"
$urlwin7 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/ie11-windows6.1-kb4522007-x64_052e2af5292fce7302e2bf5bc61361859fc5de99.msu"
$urlwin81 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows8.1-kb4522007-x64_917ea544f0fd5ede94f2088223d6f8638341a6f9.msu"
$urlwin8 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu"
 
#32-bit .msu files
$url190332 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522016-x86_f08d5d39d31737cf02850ea771578744267a2ea1.msu"
$url180932 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522015-x86_73f1857533aa290d3ddc70f3b3b5495e8867f4ea.msu"
$url180332 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522014-x86_204af1e341ef8bd9ce7e21365b18f9fe1ed4513a.msu"
$url170932 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522012-x86_18964229b76cdc42f1d125231963d31b5b708b4e.msu"
$url170332 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522011-x86_64b46d6c2a46bb190156185ce7cf6f17c688b84f.msu"
$url160732 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522010-x86_7845d82ab612fa0245f40d413cc97b4765f2db11.msu"
$url150732 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522009-x86_15edba4946f0f35b2172004d2748842042de957b.msu"
$urlwin732 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/ie11-windows6.1-kb4522007-x86_3965a87d7f1b35a1f63b4674f207d981eeb8c178.msu"
$urlwin832 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/ie11-windows6.2-kb4522007-x86_8597fa798c2d53bac840403550de8ad1bf3ac97f.msu"
$urlwin8132 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows8.1-kb4522007-x86_af6e89eefbc44e7f0c2edb7e4653a4a2aae283e5.msu"
 
 
#installation of .msu files OS specific
if (($osversion -eq '1903') -and $osarch -eq '64-bit')
    {$web.DownloadFile($url1903, "windows10.0-kb4522016-x64_c348c949121cdc6c4defacee70d6060ebb0d8442.msu")
        Start-Process -FilePath $Wus -ArgumentList "windows10.0-kb4522016-x64_c348c949121cdc6c4defacee70d6060ebb0d8442.msu /quiet /norestart" -Wait -PassThru
    }
elseif 
    (($osversion -eq '1809') -and $osarch -eq '64-bit')
    {$web.DownloadFile($url1809, "windows10.0-kb4522015-x64_f6f70d26b160c2f784c757b712c3762ea735c5f2.msu") 
        Start-Process -FilePath $Wus -ArgumentList "windows10.0-kb4522015-x64_f6f70d26b160c2f784c757b712c3762ea735c5f2.msu /quiet /norestart" -Wait -PassThru
    }
elseif 
    (($osversion -eq '1803') -and $osarch -eq '64-bit')
    {$web.DownloadFile($url1803, "Windows10.0-kb4522014-x64_1bd1ff45b207e0711fac3cf2d19bdc25652d4239.msu")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522014-x64_1bd1ff45b207e0711fac3cf2d19bdc25652d4239.msu /quiet /norestart" -Wait -PassThru
    }    
elseif 
    (($osversion -eq '1709') -and $osarch -eq '64-bit')
    {$web.DownloadFile($url1709, "Windows10.0-kb4522012-x64_923e05c66f40cc132b8fe5c3101b27db3c17661e.msu")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522012-x64_923e05c66f40cc132b8fe5c3101b27db3c17661e.msu /quiet /norestart" -Wait -PassThru
    }
elseif 
    (($osversion -eq '1703') -and $osarch -eq '64-bit')
    {$web.DownloadFile($url1703, "Windows10.0-kb4522011-x64_c47d5bec40fa29c95d0564b07c03a70a3886fafd.msu")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522011-x64_c47d5bec40fa29c95d0564b07c03a70a3886fafd.msu /quiet /norestart" -Wait -PassThru
    }
elseif 
    (($osversion -eq '1607') -and $osarch -eq '64-bit')
    {$web.DownloadFile($url1607, "Windows10.0-kb4522010-x64_1b49068c61469a4680733c9f1ddee5f1c17ab499.msu")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522010-x64_1b49068c61469a4680733c9f1ddee5f1c17ab499.msu /quiet /norestart" -Wait -PassThru
    }
elseif 
    (($osversion -eq '1507') -and $osarch -eq '64-bit')
    {$web.DownloadFile($url1507, "Windows10.0-kb4522009-x64_61f3697a30c71a3ee5fb0768db03e7d85ca2e769.msu")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522009-x64_61f3697a30c71a3ee5fb0768db03e7d85ca2e769.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($osversion -eq '1903') -and $osarch -eq '32-bit')
    {$web.DownloadFile($url190332, "Windows10.0-kb4522016-x86_f08d5d39d31737cf02850ea771578744267a2ea1.msu")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522016-x86_f08d5d39d31737cf02850ea771578744267a2ea1.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($osversion -eq '1507') -and $osarch -eq '32-bit')
    {$web.DownloadFile($url150732, "Windows10.0-kb4522009-x86_15edba4946f0f35b2172004d2748842042de957b.msu /quiet /norestart")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522009-x86_15edba4946f0f35b2172004d2748842042de957b.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($osversion -eq '1607') -and $osarch -eq '32-bit')
    {$web.DownloadFile($url160732, "Windows10.0-kb4522010-x86_7845d82ab612fa0245f40d413cc97b4765f2db11.msu /quiet /norestart")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522010-x86_7845d82ab612fa0245f40d413cc97b4765f2db11.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($osversion -eq '1703') -and $osarch -eq '32-bit')
    {$web.DownloadFile($url170332, "Windows10.0-kb4522011-x86_64b46d6c2a46bb190156185ce7cf6f17c688b84f.msu /quiet /norestart")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522011-x86_64b46d6c2a46bb190156185ce7cf6f17c688b84f.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($osversion -eq '1709') -and $osarch -eq '32-bit')
    {$web.DownloadFile($url170932, "Windows10.0-kb4522012-x86_18964229b76cdc42f1d125231963d31b5b708b4e.msu /quiet /norestart")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522012-x86_18964229b76cdc42f1d125231963d31b5b708b4e.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($osversion -eq '1803') -and $osarch -eq '32-bit')
    {$web.DownloadFile($url180332, "Windows10.0-kb4522014-x86_204af1e341ef8bd9ce7e21365b18f9fe1ed4513a.msu /quiet /norestart")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522014-x86_204af1e341ef8bd9ce7e21365b18f9fe1ed4513a.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($osversion -eq '1809') -and $osarch -eq '32-bit')
    {$web.DownloadFile($url180932, "Windows10.0-kb4522015-x86_73f1857533aa290d3ddc70f3b3b5495e8867f4ea.msu /quiet /norestart")
        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522015-x86_73f1857533aa290d3ddc70f3b3b5495e8867f4ea.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($windowsminor -eq '1') -and $osarch -eq '64-bit')
    {$web.DownloadFile($urlwin7, "ie11-windows6.1-kb4522007-x64_052e2af5292fce7302e2bf5bc61361859fc5de99.msu")
     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.1-kb4522007-x64_052e2af5292fce7302e2bf5bc61361859fc5de99.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($windowsminor -eq '1') -and $osarch -eq '32-bit')
    {$web.DownloadFile($urlwin732, "ie11-windows6.1-kb4522007-x86_3965a87d7f1b35a1f63b4674f207d981eeb8c178.msu")
     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.1-kb4522007-x86_3965a87d7f1b35a1f63b4674f207d981eeb8c178.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($windowsminor -eq '2') -and $osarch -eq '64-bit')
    {$web.DownloadFile($urlwin8, "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu")
     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($windowsminor -eq '2') -and $osarch -eq '32-bit')
    {$web.DownloadFile($urlwin8, "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu")
     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu /quiet /norestart" -Wait -PassThru
    }
elseif
    (($windowsminor -eq '3') -and $osarch -eq '32-bit')
    {$web.DownloadFile($urlwin8132, "Windows8.1-kb4522007-x86_af6e89eefbc44e7f0c2edb7e4653a4a2aae283e5.msu /quiet /norestart")
     Start-Process -FilePath $Wus -ArgumentList "Windows8.1-kb4522007-x86_af6e89eefbc44e7f0c2edb7e4653a4a2aae283e5.msu /quiet /norestart /quiet /norestart" -Wait -PassThru
    }
elseif
    (($windowsminor -eq '3') -and $osarch -eq '64-bit')
    {$web.DownloadFile($urlwin81, "ie11-windows6.2-kb4522007-x86_8597fa798c2d53bac840403550de8ad1bf3ac97f.msu")
     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.2-kb4522007-x86_8597fa798c2d53bac840403550de8ad1bf3ac97f.msu /quiet /norestart" -Wait -PassThru
    }
else 
{exit 1}

 

3. Save the Worklet.

You can assign this Worklet to all of your Windows groups and execute the policy. You can also set the Worklet to run on a schedule like any other Worklet. The Worklet will evaluate to determine if the KB is installed on a device. If the KB is installed, it will do nothing. If it finds the KB is not installed, it will run remediation and install the KB.

If the Evaluation code determines the KB is installed on the device, you can know that the device is patched and protected against the zero-day vulnerability.

Current Automox customers can create policies that automatically handle the patching and execution of important updates for you every single month. Alternatively, you may contact our support team for technical assistance at support@automox.com.

About Automox 

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure. 

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

Get Instant Updates on Vulnerabilities

Subscribe to receive Automox vulnerability alerts

Reduce your threat surface by up to 80%

Make all of your corporate infrastructure more resilient by automating the basics of cyber hygiene.

Take 15 days to raise your security confidence!
Start a Free Trial