Still Relying on WSUS? Here’s Why You Can’t

Microsoft’s Patch Disaster

Last week, Microsoft ordered users to immediately download an “emergency” out-of-band security patch meant to close up a security flaw in some versions of Internet Explorer that can be exploited by hackers.

Specifically, the IE zero-day vulnerability (CVE-2019-1367) is a remote code execution flaw that could easily enable an attacker to remotely run malicious code on an affected device and take it over. This vulnerability is so serious that Homeland Security also issued an advisory telling users to download the patch immediately.

But not so fast.

ComputerWorld’s Woody Leonhard reports that, “in what may be the worst rollout in modern Windows patching history, Microsoft rolled all over itself in its handling of IE security hole CVE-2019-1367.” You can read about the full timeline here, but this is what Leonhard concluded:

“September’s surprise zero-day patch for Internet Explorer hole CVE-2019-1367—released, but not released, then pushed sporadically, but only in preview, and never explained.”

In other words, the patch for this serious vulnerability wasn’t available through Windows Update or the Update Server; it was only available as a manual download from the Catalog.

Nevertheless, all Windows users are strongly advised to patch as soon as possible. And remember, if your organization is relying on WSUS to deploy patches, you are still at risk for CVE-2019-1367.

Syxsense can scan all your machines, deploy the patch, and report back the all clear. We take patching seriously, and you can start a trial of our Syxsense here.