• Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger

    Posted on July 4, 2020 at 07:50 CDT by Comment in the Forums

    In my monthly patch roundup, I kvetched about the bizarre (unprecedented?) security patches MS decided to distribute through the Microsoft Store. The approach to distributing the cures for CVE-2020-1425 and CVE-2020-1457 make no sense.

    The Store may be the worst possible place to hide security patches except, maybe, individual emails. And the documentation for these guys rates among the worst in Microsoft’s history. Believe me, that’s saying something.

    When the patches were first released on Tuesday, there was no – zero – description of the reason for the patches. Then, on Wednesday, somebody decided to enlighten us a bit and posted this:

    Is Windows vulnerable in the default configuration?

    No. Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.

    How do I get the updated Windows Media Codec?

    Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update.

    Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.

    Why are these security updates offered to affected clients via the Microsoft Store and not Windows Update?

    These updates are for optional apps/components that are offered to customers as a download via the Microsoft Store. Updates for optional store apps/components are provided via the Microsoft Store.

    The distribution method is riddled with all sorts of obvious holes – I mean, anybody with any sort of updating experience should’ve been able to compile a list of a half dozen ways that this could go wrong.

    Then came the outright errors.

    First, @abbodi86 pointed out that the first point isn’t complete (I’m giving MS the benefit of the doubt here):

    The optional HEVC codec exists by default in Windows Client editions since version 1809, except N and LTSC editions.

    Now, Karl Webster-Ebbinghaus has tweeted that the second and fourth points aren’t exactly right either:

    CVE-2020-1425 / CVE-2020-1457 might (silently) fail with “access denied”

    Günter Born  on Borncity talks about the conundrum.

    Yet another unholy mess.

    Windows Patches/Security , ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    March 2025
    S M T W T F S
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    3031  

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.