What do we know about the big, scary, exploited, emergency-patched IE security hole CVE-2019-1367?

What do we know about the big, scary, exploited, emergency-patched IE security hole CVE-2019-1367?




Microsoft set the patching world on its ear on Monday when it released an “out of band” patch to fix a vulnerability known as CVE-2019-1367. Susan Bradley raised the alarm immediately. I chimed in a few hours later with more details.

Then, yesterday (Tuesday), Microsoft dumped its usual big bunch of “optional, non-security” Win10 patches and “Monthly Rollup Previews” which — we finally figured out — include the fix for CVE-2019-1367. I wrote about that in Computerworld.

Microsoft’s official description of CVE-2019-1367 sounds like a zillion other descriptions:

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer.

The part that caught everyone’s attention, though, was this one little entry in the description:

exploited
Woody Leonhard/IDG

That “Exploited: Yes” notation — and the fact that the patches were released on a Monday — set the Windows blogosphere into a meltdown. You’ve read the story: Microsoft says it’s exploited, so you better get patched right away! The sky is falling! 

What a crock. But the story sure drew a lot of clicks. A clickety crock.

Copyright © 2019 IDG Communications, Inc.






Software

Leave a Reply

Your email address will not be published.