[German]Microsoft finally released the cumulative security update KB4524135 for Internet Explorer versions 9 to 11 on October 3, 2019 to close a vulnerability that had become known in September.
The vulnerability CVE-2019-1367 in IE
On September 23, 2019, Microsoft had surprisingly released out-of-band security updates for Internet Explorer that were intended to close the CVE-2019-1367 vulnerability.
CVE-2019-1367 is a memory corruption vulnerability in IE’s scripting engine. This is related to the handling of objects in Internet Explorer memory by the scripting engine. The vulnerability could damage the memory to such an extent that an attacker could execute arbitrary code in the context of the current user.
An attacker who successfully exploited the vulnerability is granted the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs, view, modify, or delete data, or create new accounts with full user privileges.
I had blogged about the updates available for the various Windows versions in the blog post Windows: Vulnerabilities in IE and Defender (09/23/2019). According to KB article, the security updates were only available for manual download in the Microsoft Update Catalog und had to be installed manually. However, there were printing issue with the September updates and Microsoft blamed the IE security update for this (see Windows: Printer issues after Sept. 2019 Update confirmed).
Update KB4524135 for Internet Explorer
Cumulative Update KB4524135, released on October 3, 2019, is available for Internet Explorer 9 – 11 for the following Windows versions:
- Internet Explorer 11 on Windows Server 2012 R2
- Internet Explorer 11 on Windows Server 2012
- Internet Explorer 11 on Windows Server 2008 R2 SP1
- Internet Explorer 11 on Windows 8.1 Update
- Internet Explorer 11 on Windows 7 SP1
- Internet Explorer 10 on Windows Server 2012
- Internet Explorer 9 on Windows Server 2008 SP2
The cumulative update addresses again the CVE-2019-1367 vulnerability, and this time it is shipped via both Windows Update and WSUS. The update can also be downloaded from the Microsoft Update Catalog and installed manually.
Before installing the IE update KB4524135, the installation of Servicing Stack Update (SSU) (KB4490628) or newer (if available) is recommended. In addition, the SHA-2 update (KB4474419) dated September 10, 2019 must have been installed under Windows 7 and Windows Server 2008/R2.
Microsoft also recommends that you install the latest Servicing Stack Update (SSU) (KB4516655) under Windows 7/Server 2008/R2 after installing the update. If a language pack is subsequently installed, update KB4524135 must be reinstalled. The support article KB4524135 lists known errors and further information that should be noted.
The printer issue mentioned below will be fixed in separate Windows-Updates.
Addendum: See also my new article Windows/IE: Issues and confusion with updates (10/03/2019) discussing new/old issues.
Windows: Vulnerabilities in IE and Defender (09/23/2019)
Windows: Printer issues after Sept. 2019 Update confirmed
Windows10 V1903: Update KB4517211 causes printer issues
Windows 10: Issues with Updates KB4522015, KB4522016 / KB4517211 (Sept. 2019)
Windows Updates fixes printer bug (Oct. 3, 2019)
Cookies helps to fund this blog: Cookie settings