Just when youâ€™re ready to settle in for some egg and nog and whatever may accompany, Windows starts throwing poison frog darts. This month, a fairly boring patching regiment has turned topsy turvey with an unexplained emergency patch for Internet Explorer (you know, the browser nobody uses), combined with an Outlook 2013 patch that doesnâ€™t pass the smell test.
Mysterious bug fix for IE
Microsoft set off the shower of firecrackers on Dec. 19 when it released a bevy of patches for Internet Explorer:
Win10Â 1809â€“ KB 4483235Â â€“ build 17763.195
Win10Â 1803â€“ KB 4483234 â€“ build 17134.472
Win10Â 1709â€“ KB 4483232 â€“ build 16299.847
IE 11 on Win7 and 8.1 â€“ KB 4483187
As Gregg Keizer explains in his Computerworld analysis:
Microsoft issued a rare emergency security update to plug a critical vulnerability in the still-supported IE9, IE10 and IE11. The flaw was reported to Microsoft by Google security engineer Clement Lecigne. According to Microsoft, attackers are already exploiting the vulnerability, making it a classic “zero-day” bug.
Thatâ€™s what Microsoft claimed; from the description it sounds like a drive-by hole, where you can get infected by merely looking at a bad website. But in spite of dire warnings from many corners, thereâ€™s exactly no information about the vulnerability making the rounds. In a situation like this, one would expect some sort of detailed explanation from Microsoft, Google or Lecigne. As of early Friday morning, weâ€™ve seen nothing.
Perhaps all the explainers are already beset with visions of sugarplums, but itâ€™s mighty odd for an emergency patch to hit the offal fan with nary a hint of whatâ€™s wrong, or why it needs to be fixed with such abandon. This isnâ€™t a garden variety â€œCâ€ or â€œDâ€ week non-security patch. Itâ€™s a full 10-claxon call to arms at a time when most people are taking an early vacation. Or at least a languid liquid lunch.
To add to the urgency, Microsoft Thursday night issued a similar tiny IE patch for the latest beta test round of the next version of Win10 â€“ KB 4483187 brings the â€œ19H1â€ beta build up to 18305.1003. So somethingâ€™s afoot, but we donâ€™t know what.
As most of you know, patching IE isnâ€™t just for people who actually use IE. Microsoft has woven IE into the fabric of Windows â€“ and itâ€™s still there despite a decade-or-so of extraction effort. An IE patch is an important event because a hole in IE can manifest itself in many ways. But in this case, with no clear explanation, we donâ€™t know what ways, or whether youâ€™re only at risk if you actually use IE.
It gets worse.
Iâ€™m seeing reports that the Win7 patch, KB 4483187, triggers random crashes. Removing the update restores the machines. But with the holidays about to go into full swing, itâ€™s hard to say if thatâ€™s an isolated incident or a lump of cantankerous coal.
Outlook 2013 patch Three Card Monty
Also on Thursday, Microsoft released yet another mysterious patch, KB 4011029, the â€œDecember 20, 2018, update for Outlook 2013.â€ According to the KB article, it fixes a bug whereÂ Mail delivery rules stop working. When you try to open the “Manage Rules & Alerts” dialog box in Outlook 2013, you receive the following error message:
The operation failed because of a registry or installation problem. Restart Outlook and try again. If the problem persists, reinstall.
Nice little holiday bug for anyone using rules in Outlook 2013. But, again, thereâ€™s more to the story.
Three days ago, Microsoft acknowledged a bug in Outlook thatâ€™s identical to the one described in the KB 4011029 article, but it affects three different â€œperpetualâ€ (which is to say, bought and installed) versions of Outlook â€“ Outlook 2010, 2013 and 2016 — plus bugs in four different subscription (which is to say, rented versions) releases of Office 365:
Version 1810 build 11001.20108
Version 1808 build 10730.20205
Version 1803 build 9126.2315
Version 1708 build 8431.2329
Apparently, the bug was introduced in the November security patches, but hadnâ€™t been acknowledged until three days ago.
Iâ€™ve found no explanation for why Outlook 2013 has been patched, but the other six versions have not. Itâ€™s possible that there are five more patches waiting in the wings. Itâ€™s possible that this one patch is actually intended for other versions of Office. All we know for sure is that somebodyâ€™s left us hanging out to dry â€“ no explanation, no release plan.
Sounds like a pretty common state of affairs, eh?
The 1809-pound elephant in the room
All of this is happening against a backdrop of Microsoftâ€™s newly restored zeal in pushing Win10 version 1809 on all Win10 users. Reports on 1809 have been good, in general â€“ although the new feature set wonâ€™t wow anyone but the most diehard Windows (and Notepad) fans â€“ but Microsoft itself hasnâ€™t yet declared version 1809 as fit for businesses.
Those who click â€œCheck for updatesâ€ are most likely to get the new version, but itâ€™ll get pushed on non-seekers soon enough.
The bottom line
Iâ€™ve seen exactly zero reports of machines being taken over by the Internet Explorer bug, zero detailed descriptions of the problem (or its solution), zero bonafide cause for alarm, but the â€œSky is Falling â€“ Patch Right Now!â€ cry continues to ring throughout the blogosphere. That could mean one of two things:
- The problem is so bad that people in the know donâ€™t want to let the cat out of the bag, or,
- Itâ€™s a typical zero-day thatâ€™ll have to be patched eventually unless youâ€™re the target of well-heeled nation state scoundrels and the people who do the explaining are taking the weekend off
Iâ€™m convinced the latter is far more likely. But your level of paranoia may well differ. Hey, you may actually enjoyÂ putting your PC through the wringer while the worldâ€™s taking a well-deserved break.
Weâ€™ll keep a watchful eye through the holidays on the AskWoody Lounge.