Audit Windows Machines Vulnerable to IE Zero-Day
Microsoft released an emergency update for a critical Internet Explorer zero-day vulnerability (CVE-2019-1367). This scripting engine memory corruption vulnerability could allow attackers to gain access to machines using the security context of the logged-in user. Therefore it is especially important to make sure that machines which often times use admin credentials are updated as soon as possible. You can find more information in our IE zero-day vulnerability blog post.
To fix the issue, Microsoft has released new updates. The audit below will give you a clear overview of the patch status of all Windows machines which have received a patch. Monitor exactly which machines have been updated.
Internet Explorer Zero-Day Vulnerability Query
Select Distinct Top 1000000 Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon, tblAssets.AssetID, tblAssets.AssetName, tblAssets.Domain, tblState.Statename As State, Case tblAssets.AssetID When SubQuery1.AssetID Then 'Up to date' Else 'Out of date' End As [Patch status], Case When tblComputersystem.Domainrole > 1 Then 'Server' Else 'Workstation' End As [Workstation/Server], tblAssets.Username, tblAssets.Userdomain, tblAssets.IPAddress, tsysIPLocations.IPLocation, tblAssetCustom.Manufacturer, tblAssetCustom.Model, tsysOS.OSname As OS, tblAssets.SP, Case When tsysOS.OScode Like '10.0.10240%' Then '1507' When tsysOS.OScode Like '10.0.10586%' Then '1511' When tsysOS.OScode Like '10.0.14393%' Then '1607' When tsysOS.OScode Like '10.0.15063%' Then '1703' When tsysOS.OScode Like '10.0.16299%' Then '1709' When tsysOS.OScode Like '10.0.17134%' Then '1803' When tsysOS.OScode Like '10.0.17763%' Then '1809' When tsysOS.OScode Like '10.0.18362%' Then '1903' End As Version, tblAssets.Lastseen, tblAssets.Lasttried, Case When tblErrors.ErrorText Is Not Null Or tblErrors.ErrorText != '' Then 'Scanning Error: ' + tsysasseterrortypes.ErrorMsg Else '' End As ScanningErrors, Case When tblAssets.AssetID = SubQuery1.AssetID Then '' Else Case When tsysOS.OSname = 'Win 2008' Then 'KB4522007' When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or tsysOS.OSname = 'Win 2008 R2' Then 'KB4522007' When tsysOS.OSname = 'Win 2012' Then 'KB4522007' When tsysOS.OSname = 'Win 8.1' Or tsysOS.OSname = 'Win 2012 R2' Then 'KB4522007' When tsysOS.OScode Like '10.0.14393' Or tsysOS.OSname = 'Win 2016' Then 'KB4522010 or KB4516061' When tsysOS.OScode Like '10.0.10240' Then 'KB4522009' When tsysOS.OScode Like '10.0.15063' Then 'KB4522011 or KB4516059' When tsysOS.OScode Like '10.0.16299' Then 'KB4522012 or KB4516071' When tsysOS.OScode Like '10.0.17134' Then 'KB4522014 or KB4516045' When tsysOS.OScode Like '10.0.17763' Or tsysOS.OSname = 'Win 2019' Then 'KB4522015 or KB4516077' When tsysOS.OScode Like '10.0.18362' Then 'KB4522016' End End As [Install one of these updates], Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned, GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned, Case When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned, GetDate())) > 3 Then 'Windows update information may not be up to date. We recommend rescanning this machine.' Else '' End As Comment, Case tblAssets.AssetID When SubQuery1.AssetID Then '#d4f4be' Else '#ffadad' End As backgroundcolor From tblAssets Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype Inner Join tblOperatingsystem On tblOperatingsystem.AssetID = tblAssets.AssetID Inner Join tblState On tblState.State = tblAssetCustom.State Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID Left Join tsysOS On tsysOS.OScode = tblAssets.OScode Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID From tblQuickFixEngineering Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID = tblQuickFixEngineering.QFEID Where tblQuickFixEngineeringUni.HotFixID In ('KB4522007', 'KB4522010', 'KB4522011', 'KB4522012', 'KB4522014', 'KB4522015', 'KB4522016', 'KB4522009','KB4516077','KB4516045','KB4516071','KB4516059','KB4516061')) As SubQuery1 On tblAssets.AssetID = SubQuery1.AssetID Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP And tblAssets.IPNumeric <= tsysIPLocations.EndIP Left Join (Select Distinct Top 1000000 TsysLastscan.AssetID As ID, TsysLastscan.Lasttime As QuickFixLastScanned From TsysWaittime Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On tblAssets.AssetID = QuickFixLastScanned.ID Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID, Max(tblErrors.Teller) As ErrorID From tblErrors Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID = ScanningError.ID Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype = tblErrors.ErrorType Where tsysOS.OSname <> 'Win 2000 S' And tsysOS.OSname Not Like '%XP%' And tsysOS.OSname Not Like '%2003%' And tsysOS.OSname Not Like '%Win 8' And (Not tsysOS.OSname Like 'Win 7%' Or Not tblAssets.SP = 0) And tsysOS.OScode Not Like '10.0.10586%' And tblAssetCustom.State = 1 And tsysAssetTypes.AssetTypename Like 'Windows%' Order By tblAssets.Domain, tblAssets.AssetName