Patch Now: Two New Windows Zero-Days - With a Twist!

  • 24 September 2019
  • 8 replies
  • 82 views

If you haven’t seen the news, Windows released patches for two new zero-days, one for IE 9/10/11, and another for Windows Defender. These are severe - the IE issues are being exploited in the wild, the Defender issue can erode security. We covered the details here.


In a sad way, that’s good news.


The bad news is that Windows isn’t offering the IE patches through Windows Update. Instead, you need to push them manually…for every version, configuration, and processor. Rather than leave you guessing, we made a worklet that you can modify to patch every version one by one.


For Evaluation Code, enter the below, changing the KB number for the KB you are targeting:



#Define KB Number and check for presence. You need to enter the one specific to your OS version

############################################################################

$kbID = 'Your_KB_Number’

############################################################################

$installed = Get-Hotfix -Id $kbID -ErrorAction SilentlyContinue

if ( $installed ) {

#Compliant, so Exit 0 as success

Exit 0

} else {

#Non-Compliant, so Exit 1 as failure

Exit 1

}



Then enter the following Remediation Code, switching the file path to the one you need to install:



#Enter the name of the msu file you uploaded.

$fileName = “msu file specific to your OS”

#Launch the installer file and capture exit code to determine success

$installer = Start-Process -FilePath $fileName -ArgumentList “/quiet /passive /norestart” -Wait -PassThru

#Evaluate Exit Code for Success 0,1641,3010 are all considered successful

if ( $installer.ExitCode -in @(‘0’,‘1641’, ‘3010’)) {

Exit 0

} else { Exit 1 }



You will need to upload each update file as well. Some are large, and may take a while to upload. After that, save the policy, link it to any and all groups, and patch now.


Here’s the catch - you need the right KB and file version for each unique Windows version, and there are dozens. For now, this is the best way to apply the patch at scale. We have members of the team at Automox working to create a single worklet for every version, but if you have a worklet ready, please share!


8 replies

Userlevel 5
Badge

To find the .msu file and KB relevant to your OS visit the following URL:


https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367


Once you have the .msu file needed for your OS, upload it to the Worklet. Be sure to change the 2 values unique to your Worklet.


Evaluation:

$kbID = 'Your_KB_Number’


Remediation:

$fileName = “msu file name specific to your OS .


ex: windows10.0-kb4522015-x64_f6f70d26b160c2f784c757b712c3762ea735c5f2.msu

Is there plans for you guys to automate this a bit further? With the amount of endpoints i have, and their mixed windows versions, I’m looking at creating ~25 Worklets to combat this which leaves a lot of room for human error with all the copying and pasting.

Hey @ScottCooke - we do! We’re working on Worklet (ha) to detect the version needed automatically, download it, and apply it. Windows didn’t help at all here, and the patches are not provided through Windows Update. Once that’s tested and ready, we’ll do another big push to our customers to provide it. Definitely understand that the short-term solution leaves a lot to be desired.


We’re taking a look now at how complex this will be, and expect it will be ready either late this week or into next week.

Fantastic - thank you Gavin. Another concern (and this is moreso a Microsoft problem than a platform problem) is since the patch is part of a cumulative update, we’re looking at some .MSU that are 1.3 GB which not only needs to be uploaded to Automox but downloaded by multiple clients worldwide.

Yeah, that’s another bad limitation here. My thinking is that Microsoft forgot some dependencies here and it’s led to this messy, major update.

@gavin For some reason I am getting a Exit status 1 error in the Automox activity log and “runScript: Error in Wait exit status 1” in the amagent log. I had checked to make sure I have the right KB number entered and also the right filename. Seems to be failing at the evaluation step and wasn’t sure if there was something else required. When manually installing the .msu patch and then running the Worklet it runs fine and exits as a success that it is installed. So its detection of it not being installed appears to be the problem. Any thoughts or should I reach out to support?

@uber_nerd welcome to the community! Tagging @awhitman to take a look at this.

Userlevel 7

We’ve got a new version with full automation now:


Reply