Windows out-of-band update: Microsoft's mandatory security patch is for all versions

Microsoft finally releases IE 0-day patch via Windows Update, also solving printing issues caused by original fix.
Written by Liam Tung, Contributing Writer

Microsoft has issued an out-of-band required update for all versions of Windows, rounding out the patch it released on September 23 to address an already-exploited flaw in Internet Explorer. 

Initially, Microsoft only released the out-of-band patch for CVE-2019-1367 on the Microsoft Update Catalog, which users needed to manually download. 

SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)

But Microsoft has now released it through Windows Update and Windows Server Update Services (WSUS) to distribute it more widely to end users. 

"This is a required security update that expands the out-of-band update dated September 23, 2019," Microsoft warns users

The decision not to release the patch through Windows Update and WSUS caused some confusion. Why create a patch and then not distribute automatically to all Windows users until now? 

The IE scripting engine flaw was found by Clement Lecigne of Google's Threat Analysis Group, and Microsoft raced out the patch within days. 

It's likely that the vulnerability was being used to target a narrow section of Windows users. It's also not clear how much time Microsoft was able to spend regression testing its patch before releasing it.    

Lecigne also discovered a publicly-unknown bug in Chrome and one affecting Windows 7 in February. The flaws were being used in tandem to attack targeted users. 

Google released a patch for Chrome and disclosed the existence of the Windows 7 flaw before Microsoft was able to release its patch. 

At this stage, Lecigne has not published any details about the IE flaw. 

The new Windows out-of-band update also addresses a bug that caused print jobs to fail. 

"Addresses an intermittent issue with the print spooler service that may cause print jobs to fail. Some apps may close or generate errors, such as the remote procedure call (RPC) error," explains Microsoft. 

And it appears that the printing issue was caused by the patch for the IE flaw. 

"To address a known printing issue customers might experience after installing the Security Updates or IE Cumulative updates that were released on September 23, 2019 for CVE-2019-1367, Microsoft is releasing new Security Updates, IE Cumulative Updates, and Monthly Rollup updates for all applicable installations of Internet Explorer 9, 10, or 11 on Microsoft Windows," Microsoft explained in its original advisory.  

SEE: Office 365 major new features: Here's what you get with new Surfaces, says Microsoft

Another fix the new update addresses is an error that occurred when users install Features on Demand, such as .Net 3.5. 

Microsoft also stressed that the current required update doesn't replace the upcoming October Patch Tuesday on October 8. 

The new required security update is available for all supported versions of Windows 10, Windows 8.1, and Windows 7. Microsoft is recommending that users install this update as soon as a possible and restart their PC to fully apply the mitigations.

More on Microsoft and Windows 10 updates 

Editorial standards