Usesr have been left puzzled after Windows 10 received a couple of important security fixes for some major flaws in Windows media codecs.
However rather than the typically used channel of Windows Update, Microsoft pushed out these updates via the Microsoft Store – confusing a lot of users in the process.
In fact, there’s been a lot of head-scratching around both these fixes for serious problems related to the codecs, which were released out-of-band (meaning not on Microsoft’s typical monthly security patch schedule).
- Microsoft risks wrath of Windows 10 users by killing off this feature
- May 2020 Update is causing problems for Chrome users
- We solve 100 common Windows 10 problems
The vulnerabilities are CVE-2020-1425 (opens in new tab) and CVE-2020-1457 (opens in new tab) as Ask Woody (opens in new tab) highlights, and they potentially allow an attacker to “obtain information to further compromise the user’s system”, or execute arbitrary code, respectively.
They can be exploited via a “specially crafted image file”, and as Microsoft notes, these updates remedy the situation by correcting how the Windows Codecs Library handles objects in memory.
As Ask Woody reports, the appearance of these security fixes worried some folks who were wondering exactly why the patches were only offered to Windows 10 clients via the Microsoft Store, rather than using Windows Update as mentioned.
Microsoft’s answer is that the affected HEVC codec package is an optional component which can be downloaded from the Microsoft Store (or grabbed by an app which requires it).
In other words, it isn’t included with Windows 10 by default, hence Microsoft not using Windows Update for distribution.
Windows 10 confusion
There has been a fair bit of confusion, though, because the HEIC images – the exploitation path, as mentioned, is via one such specially crafted image file – do seem to be present on Windows 10 systems, and it’s not clear if that might be problematic in itself.
Presumably not, given Microsoft’s stance here, but Bleeping Computer (opens in new tab) which also reported on this issue asked Zero Day Initiative researcher Abdul-Aziz Hariri – who found these vulnerabilities – whether the HEIC images could be a security hole in themselves, and Hariri said that he “was not sure if they were patched as well”.
So, you can see how the bewilderment and worry is coming in here, and this is compounded by another problem – namely that some users may not receive the update automatically via the Microsoft Store as they should do, because the organization they’re employed by has disabled the store (or at least automatic updates from the store).
Furthermore, on top of that, some of those who are installing the patch from the Microsoft Store are witnessing it fail with an ‘access denied’ error.
⚠ Houston we have a(nother) problem ⚠CVE-2020-1425 / CVE-2020-1457 might (silently) fail with "access denied". Not all store apps though. see screen@sudhagart @WindowsUpdate @rWinSec Given the #secflaw this is criticalfeedback https://t.co/OYctLjLtoe pic.twitter.com/nzKqAhq5hDJuly 4, 2020
All in all, then, Microsoft’s resolution of this particular pair of vulnerabilities seems to have got pretty messy and unsatisfactory.
- These are the best laptop for business of 2020