Worklet: IE11 Zero-day "One-Click" Remediation for Windows

  • 3 October 2019
  • 5 replies
  • 107 views
AdamW-Automox
Userlevel 5
Badge

In our latest community Security Alerts Gavin discusses the new IE zero-day vulnerability that is tracked under CVE-2019-1367. This vulnerability allows for malicious remote code execution, where a bad actor to run code under the same permissions as the current user.


The Worklet Gavin posted in the Security Alert update is an effective way to quickly remediate a group of devices and ensure they are patched against this vulnerability. However, with so many different KB’s for each Windows OS version in both 32 and 64-bit processors, it can be a real time-consuming task to remediate all of the different endpoints that you manage in your infrastructure.


Below is the IE11 “One-click” remediation Worklet that will remediate all of your Windows devices no matter what version, or processor in a single Worklet.


The Worklet is designed to evaluate both the Windows OS version, and the processor to determine which .msu file is needed to install the respected KB. Once the .msu is determined then it will automatically download the file and install it on the device. Simple as that!


This currently only works for the IE11. IE9, and 10 will still need to be remediated in the Worklet posted by Gavin.


Copy the evaluation and remediation code just like it’s written below, there is no need to change any value, it will work as written. Paste the evaluation and remediation code into your Worklet for your orgs:


Evaluation:


#Define KB Number and check for presence

#64-bit AND 32-bit KBs

$kbID1903 = 'KB4522016'

$kbID1809 = 'KB4522015'

$kbID1803 = 'KB4522014'

$kbID1709 = 'KB4522012'

$kbID1703 = 'KB4522011'

$kbID1607 = 'KB4522010'

$kbID1507 = 'KB4522009'

$kbIDwin7881 = 'KB4522007'



#command to check if the KB exists on the device

$installed1 = Get-Hotfix -Id $kbID1903 -ErrorAction SilentlyContinue

$installed2 = Get-Hotfix -Id $kbID1809 -ErrorAction SilentlyContinue

$installed3 = Get-Hotfix -Id $kbID1803 -ErrorAction SilentlyContinue

$installed4 = Get-Hotfix -Id $kbID1709 -ErrorAction SilentlyContinue

$installed5 = Get-Hotfix -Id $kbID1703 -ErrorAction SilentlyContinue

$installed6 = Get-Hotfix -Id $kbID1607 -ErrorAction SilentlyContinue

$installed7 = Get-Hotfix -Id $kbID1507 -ErrorAction SilentlyContinue

$installed8 = Get-Hotfix -Id $kbIDwin7881 -ErrorAction SilentlyContinue



if ( $installed1 -Or $installed2 -Or $installed3 -Or $installed4 -Or $installed5 -Or $installed6 -Or $installed7 -Or $installed8 ) {

    #Compliant, so Exit 0 as success

    exit 0

} else {

    #Non-Compliant, so Exit 1 as failure

    exit 1

}

Remediation:


#OS version and architecture evaluation to determine which command to run 

$osversion = (get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId

$windowsminor = [environment]::OSVersion.Version.Minor

$osarch = (Get-WmiObject Win32_OperatingSystem).OSArchitecture



$proxy = [System.Net.WebRequest]::GetSystemWebProxy()

$proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials

$web = New-Object Net.WebClient

$web.proxy = $proxy





#determine wusa.exe location to install properly on both 32-bit or 64-bit systems

if ((Test-Path $env:systemroot\SysWOW64\wusa.exe)){

  $Wus = "$env:systemroot\SysWOW64\wusa.exe"

}

else {

  $Wus = "$env:systemroot\System32\wusa.exe"

  }



#64-bit .msu files

$url1903 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522016-x64_c348c949121cdc6c4defacee70d6060ebb0d8442.msu"

$url1809 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522015-x64_f6f70d26b160c2f784c757b712c3762ea735c5f2.msu"

$url1803 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522014-x64_1bd1ff45b207e0711fac3cf2d19bdc25652d4239.msu"

$url1709 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522012-x64_923e05c66f40cc132b8fe5c3101b27db3c17661e.msu"

$url1703 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522011-x64_c47d5bec40fa29c95d0564b07c03a70a3886fafd.msu"

$url1607 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522010-x64_1b49068c61469a4680733c9f1ddee5f1c17ab499.msu"

$url1507 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522009-x64_61f3697a30c71a3ee5fb0768db03e7d85ca2e769.msu"

$urlwin7 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/ie11-windows6.1-kb4522007-x64_052e2af5292fce7302e2bf5bc61361859fc5de99.msu"

$urlwin81 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows8.1-kb4522007-x64_917ea544f0fd5ede94f2088223d6f8638341a6f9.msu"

$urlwin8 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu"



#32-bit .msu files

$url190332 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522016-x86_f08d5d39d31737cf02850ea771578744267a2ea1.msu"

$url180932 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522015-x86_73f1857533aa290d3ddc70f3b3b5495e8867f4ea.msu"

$url180332 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522014-x86_204af1e341ef8bd9ce7e21365b18f9fe1ed4513a.msu"

$url170932 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522012-x86_18964229b76cdc42f1d125231963d31b5b708b4e.msu"

$url170332 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522011-x86_64b46d6c2a46bb190156185ce7cf6f17c688b84f.msu"

$url160732 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/windows10.0-kb4522010-x86_7845d82ab612fa0245f40d413cc97b4765f2db11.msu"

$url150732 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows10.0-kb4522009-x86_15edba4946f0f35b2172004d2748842042de957b.msu"

$urlwin732 = "http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/09/ie11-windows6.1-kb4522007-x86_3965a87d7f1b35a1f63b4674f207d981eeb8c178.msu"

$urlwin832 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/ie11-windows6.2-kb4522007-x86_8597fa798c2d53bac840403550de8ad1bf3ac97f.msu"

$urlwin8132 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/09/windows8.1-kb4522007-x86_af6e89eefbc44e7f0c2edb7e4653a4a2aae283e5.msu"



 

#installation of .msu files OS specific

if (($osversion -eq '1903') -and $osarch -eq '64-bit')

    {$web.DownloadFile($url1903, "windows10.0-kb4522016-x64_c348c949121cdc6c4defacee70d6060ebb0d8442.msu")

        Start-Process -FilePath $Wus -ArgumentList "windows10.0-kb4522016-x64_c348c949121cdc6c4defacee70d6060ebb0d8442.msu /quiet /norestart" -Wait -PassThru

    }

elseif 

    (($osversion -eq '1809') -and $osarch -eq '64-bit')

    {$web.DownloadFile($url1809, "windows10.0-kb4522015-x64_f6f70d26b160c2f784c757b712c3762ea735c5f2.msu") 

        Start-Process -FilePath $Wus -ArgumentList "windows10.0-kb4522015-x64_f6f70d26b160c2f784c757b712c3762ea735c5f2.msu /quiet /norestart" -Wait -PassThru

    }

elseif 

    (($osversion -eq '1803') -and $osarch -eq '64-bit')

    {$web.DownloadFile($url1803, "Windows10.0-kb4522014-x64_1bd1ff45b207e0711fac3cf2d19bdc25652d4239.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522014-x64_1bd1ff45b207e0711fac3cf2d19bdc25652d4239.msu /quiet /norestart" -Wait -PassThru

    }    

elseif 

    (($osversion -eq '1709') -and $osarch -eq '64-bit')

    {$web.DownloadFile($url1709, "Windows10.0-kb4522012-x64_923e05c66f40cc132b8fe5c3101b27db3c17661e.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522012-x64_923e05c66f40cc132b8fe5c3101b27db3c17661e.msu /quiet /norestart" -Wait -PassThru

    }

elseif 

    (($osversion -eq '1703') -and $osarch -eq '64-bit')

    {$web.DownloadFile($url1703, "Windows10.0-kb4522011-x64_c47d5bec40fa29c95d0564b07c03a70a3886fafd.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522011-x64_c47d5bec40fa29c95d0564b07c03a70a3886fafd.msu /quiet /norestart" -Wait -PassThru

    }

elseif 

    (($osversion -eq '1607') -and $osarch -eq '64-bit')

    {$web.DownloadFile($url1607, "Windows10.0-kb4522010-x64_1b49068c61469a4680733c9f1ddee5f1c17ab499.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522010-x64_1b49068c61469a4680733c9f1ddee5f1c17ab499.msu /quiet /norestart" -Wait -PassThru

    }

elseif 

    (($osversion -eq '1507') -and $osarch -eq '64-bit')

    {$web.DownloadFile($url1507, "Windows10.0-kb4522009-x64_61f3697a30c71a3ee5fb0768db03e7d85ca2e769.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522009-x64_61f3697a30c71a3ee5fb0768db03e7d85ca2e769.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($osversion -eq '1903') -and $osarch -eq '32-bit')

    {$web.DownloadFile($url190332, "Windows10.0-kb4522016-x86_f08d5d39d31737cf02850ea771578744267a2ea1.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522016-x86_f08d5d39d31737cf02850ea771578744267a2ea1.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($osversion -eq '1507') -and $osarch -eq '32-bit')

    {$web.DownloadFile($url150732, "Windows10.0-kb4522009-x86_15edba4946f0f35b2172004d2748842042de957b.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522009-x86_15edba4946f0f35b2172004d2748842042de957b.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($osversion -eq '1607') -and $osarch -eq '32-bit')

    {$web.DownloadFile($url160732, "Windows10.0-kb4522010-x86_7845d82ab612fa0245f40d413cc97b4765f2db11.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522010-x86_7845d82ab612fa0245f40d413cc97b4765f2db11.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($osversion -eq '1703') -and $osarch -eq '32-bit')

    {$web.DownloadFile($url170332, "Windows10.0-kb4522011-x86_64b46d6c2a46bb190156185ce7cf6f17c688b84f.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522011-x86_64b46d6c2a46bb190156185ce7cf6f17c688b84f.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($osversion -eq '1709') -and $osarch -eq '32-bit')

    {$web.DownloadFile($url170932, "Windows10.0-kb4522012-x86_18964229b76cdc42f1d125231963d31b5b708b4e.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522012-x86_18964229b76cdc42f1d125231963d31b5b708b4e.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($osversion -eq '1803') -and $osarch -eq '32-bit')

    {$web.DownloadFile($url180332, "Windows10.0-kb4522014-x86_204af1e341ef8bd9ce7e21365b18f9fe1ed4513a.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522014-x86_204af1e341ef8bd9ce7e21365b18f9fe1ed4513a.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($osversion -eq '1809') -and $osarch -eq '32-bit')

    {$web.DownloadFile($url180932, "Windows10.0-kb4522015-x86_73f1857533aa290d3ddc70f3b3b5495e8867f4ea.msu")

        Start-Process -FilePath $Wus -ArgumentList "Windows10.0-kb4522015-x86_73f1857533aa290d3ddc70f3b3b5495e8867f4ea.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($windowsminor -eq '1') -and $osarch -eq '64-bit')

    {$web.DownloadFile($urlwin7, "ie11-windows6.1-kb4522007-x64_052e2af5292fce7302e2bf5bc61361859fc5de99.msu")

     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.1-kb4522007-x64_052e2af5292fce7302e2bf5bc61361859fc5de99.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($windowsminor -eq '1') -and $osarch -eq '32-bit')

    {$web.DownloadFile($urlwin732, "ie11-windows6.1-kb4522007-x86_3965a87d7f1b35a1f63b4674f207d981eeb8c178.msu")

     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.1-kb4522007-x86_3965a87d7f1b35a1f63b4674f207d981eeb8c178.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($windowsminor -eq '2') -and $osarch -eq '64-bit')

    {$web.DownloadFile($urlwin8, "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu")

     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($windowsminor -eq '2') -and $osarch -eq '32-bit')

    {$web.DownloadFile($urlwin8, "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu")

     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.2-kb4522007-x64_7d9dc3f450940f2f6a17dab5826a8c9be9c44eac.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($windowsminor -eq '3') -and $osarch -eq '32-bit')

    {$web.DownloadFile($urlwin8132, "Windows8.1-kb4522007-x86_af6e89eefbc44e7f0c2edb7e4653a4a2aae283e5.msu")

     Start-Process -FilePath $Wus -ArgumentList "Windows8.1-kb4522007-x86_af6e89eefbc44e7f0c2edb7e4653a4a2aae283e5.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($windowsminor -eq '3') -and $osarch -eq '64-bit')

    {$web.DownloadFile($urlwin81, "ie11-windows6.2-kb4522007-x86_8597fa798c2d53bac840403550de8ad1bf3ac97f.msu")

     Start-Process -FilePath $Wus -ArgumentList "ie11-windows6.2-kb4522007-x86_8597fa798c2d53bac840403550de8ad1bf3ac97f.msu /quiet /norestart" -Wait -PassThru

    }

else 

	{exit 1}

Save the Worklet.


You can now assign it to all of your Windows groups and execute the policy. You can also set the Worklet to run on a schedule like any other Worklet. The device will evaluate to determine if the KB is installed on the device, if so, it will do nothing. If it find the KB is not installed it will run remediation and install the KB.


Evaluation determines if the KB is installed, so if the policy is compliant on the device, then the device is patched and protected against the zero-day.


As always, let me know if you have any questions!

5 replies

owl-IT

this is very cool, thanks for sharing. I t juts gave me idea for my project 🙂

Nic-Automox
Userlevel 7

Ooh, can’t wait to see your next project! Any hints as to what you’re working on?

owl-IT

Trying to catch up on Tenable scan findings … and some remediation requires registry key changes, firewall ports closure, force install missing KBs on the hosts . . to apply the fixes based on CVEs recommendations will be with use of worklets very easy fix across the org 🙂

Nic-Automox
Userlevel 7

This one has now been fixed by a patch, so there’s no need to run this on any windows machines that are up to date with February’s patches.

C
Badge

Sorry for the necro, but this worklet was suggested by Automox Support to use with the PrintNightmare vulnerability, so I figured I’d share my tweaked version for anyone interested. Modified for Windows 10 versions 1909+ x64 only since that’s all we have currently.


Evaluation:


#Define KB Number and check for presence

#64-bit AND 32-bit KBs

$kbID5004945 = 'KB5004945'

$kbID5004946 = 'KB5004946'



#command to check if the KB exists on the device

$installed1 = Get-Hotfix -Id $kbID5004945 -ErrorAction SilentlyContinue

$installed2 = Get-Hotfix -Id $kbID5004946 -ErrorAction SilentlyContinue





if ( $installed1 -Or $installed2 ) {

    #Compliant, so Exit 0 as success

    exit 0

} else {

    #Non-Compliant, so Exit 1 as failure

    exit 1

}

Remediation:


#OS version and architecture evaluation to determine which command to run 

$osversion = (get-itemproperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId

$windowsminor = [environment]::OSVersion.Version.Minor

$osarch = (Get-WmiObject Win32_OperatingSystem).OSArchitecture



$proxy = [System.Net.WebRequest]::GetSystemWebProxy()

$proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials

$web = New-Object Net.WebClient

$web.proxy = $proxy





#determine wusa.exe location to install properly on both 32-bit or 64-bit systems

if ((Test-Path $env:systemroot\SysWOW64\wusa.exe)){

  $Wus = "$env:systemroot\SysWOW64\wusa.exe"

}

else {

  $Wus = "$env:systemroot\System32\wusa.exe"

  }



#64-bit .msu files

$url2009 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2021/07/windows10.0-kb5004945-x64_db8eafe34a43930a0d7c54d6464ff78dad605fb7.msu"

$url2004 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2021/07/windows10.0-kb5004945-x64_db8eafe34a43930a0d7c54d6464ff78dad605fb7.msu"

$url1909 = "http://download.windowsupdate.com/c/msdownload/update/software/secu/2021/07/windows10.0-kb5004946-x64_ae43950737d20f3368f17f9ab9db28eccdf8cf26.msu"



#installation of .msu files OS specific

if  (($osversion -eq '2009') -and $osarch -eq '64-bit')

    {$web.DownloadFile($url2009, "windows10.0-kb5004945-x64_db8eafe34a43930a0d7c54d6464ff78dad605fb7.msu") 

        Start-Process -FilePath $Wus -ArgumentList "windows10.0-kb5004945-x64_db8eafe34a43930a0d7c54d6464ff78dad605fb7.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($osversion -eq '2004') -and $osarch -eq '64-bit')

    {$web.DownloadFile($url2004, "windows10.0-kb5004945-x64_db8eafe34a43930a0d7c54d6464ff78dad605fb7.msu") 

        Start-Process -FilePath $Wus -ArgumentList "windows10.0-kb5004945-x64_db8eafe34a43930a0d7c54d6464ff78dad605fb7.msu /quiet /norestart" -Wait -PassThru

    }

elseif

    (($osversion -eq '1909') -and $osarch -eq '64-bit')

    {$web.DownloadFile($url1909, "windows10.0-kb5004946-x64_ae43950737d20f3368f17f9ab9db28eccdf8cf26.msu") 

        Start-Process -FilePath $Wus -ArgumentList "windows10.0-kb5004946-x64_ae43950737d20f3368f17f9ab9db28eccdf8cf26.msu /quiet /norestart" -Wait -PassThru

    }

else 

	{exit 1}

Reply


Terms & ConditionsCookie settings