Win10 codec security hole

Topic

New Reply

This one’s more interesting than the typical Windows zero-day. MS just published a Security Update for CVE-2020-1425 | Microsoft Windows Codecs Librar
[See the full post at: Win10 codec security hole]

3 users thanked author for this post.

rc primak, Elly, Mr. Natural

Reply | Quote

Replies

Does this bug affects versions of Windows earlier than 10?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Follow the link on the main blog page for the CVE – it shows the versions affected.

2 users thanked author for this post.

OscarCP, Moonbear

Reply | Quote

Two out-of-band patches released:

https://www.bleepingcomputer.com/news/security/microsoft-releases-oob-security-updates-for-windows-10-rce-bugs/

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

woody

Reply | Quote

Yep. That appears to be the Windows Store patches mentioned in the MS post.

1 user thanked author for this post.

rc primak

Reply | Quote

Geekdom, good point regarding the out-of-band patches. I was working on a customer’s old Windows 7 Pro 32 bit box to add a FF add on as Admin and it restarted slowly and showing 2 critical updates. The 2 updates were noted in the restore point logs. In his Box’s Your Update history for windows 7 there were only 1 update for KB2310138 which I assume is a Defender or Security Essentials virus definition update. I see his updates are turned off for this old Windows 7 machine and no extended contract.

Remove if this is a dup.

Reply | Quote

I just got a HEVC Video Extension update pushed via the Microsoft Store, so I figure that’s probably the security patch/update

1 user thanked author for this post.

rc primak

Reply | Quote

Oh for crying out loud. Now we need to unblock the Store in order to get core OS security updates? FFS, Microsoft. This is why we have WSUS, so we don’t need to phone home to Microsoft (or get a flood of pushed software and bad drivers from the store.

Just the other day I built a new install on a PC, and accidentally left the Store un-blocked for a few minutes. Before I had a chance to even install the vendor drivers, the stupid OS had sucked down all the Store-issued hardware drivers.

No matter where you go, there you are.

3 users thanked author for this post.

rc primak, Carl D, OscarCP

Reply | Quote

Not sure if it has been discussed here already but a lot of people are annoyed that you now can only get the NVIDIA Control Panel for Windows 10 from the Microsoft Store as well these days. It isn’t included with the drivers.

Huh? Why? My guess is that MS need to do something to get people “interested” in their store. Seems like there’s mainly been tumbleweeds blowing around in there since it opened.

I don’t need the NVIDIA Control Panel – I just want the drivers but I notice a “helpful” message pops up in the bottom right hand corner of the screen every time I install or update the NVIDIA graphics drivers in Windows 10 telling me I can get the Control Panel from the store… “Click Here to get it”. I just ignore it and it goes away.

Oh, the NVIDIA Control Panel is still included in the latest drivers for Windows 7, I notice. Funny about that.

1 user thanked author for this post.

rc primak

Reply | Quote

They trying to push that but under “NVIDIA>Download Drivers>Advanced Driver Search” select driver type standard and you will have control panel included. DCH are the win store ones.

GeForce Game Ready Driver WHQL 451.48 24.6.2020

1 user thanked author for this post.

wavy

Reply | Quote

thought it may be helpful to add that you have to click on “Beta and Older Drivers” to get that Advanced Driver Search page…

Took me some time to figure that one out since never in my mind would i click on something called “Beta and Older Drivers” when I want to get hold of a stable up to date released driver.

Seems like many companies are very eager to be number one on my s***list these days.

Anyhow you made me look for it so a thanks is in order, highly appreciated.

Reply | Quote

They trying to push that but under “NVIDIA>Download Drivers>Advanced Driver Search” select driver type standard and you will have control panel included. DCH are the win store ones.

Is that the same as the studio drivers?
I believe I ended up with the control panel w/o out a MS account on my newis install. its a [pain] to be forced to use the ‘store’ as i did on a previous install

🍻

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

DCH Game drivers are not the same as Studio drivers.
I download directly from Nvidia and get the control panel.

1 user thanked author for this post.

wavy

Reply | Quote

@Alex5723

You linked to the DCH driver, this needs to download the control panel via MS Store on Windows 10. If you think you got it without downloading it via the Store I can only assume it did that automaticly and your settings was set to do so. Either which way, if you do a fresh install the DCH version on a offline machine will not give you the control panel.

You get the none DCH version here, and choose “Standard” version. https://www.nvidia.com/Download/Find.aspx?lang=en-us

(You have to click on “Beta and Older Drivers” on default site to get that Advanced Driver Search page)

1 user thanked author for this post.

wavy

Reply | Quote

I’ve got an ASUS Laptop and the Control Software coming from the MS store and what a headache that’s been that’s never got some features working properly. And some UWP app that is the UI/front end device functionality is made functional via  some needed service that has to be installed first before the UWP based front end/UI! And that’s not working out so well with that all bundled together and no proper way to assure that the UWP part gets installed after the service part that needs to be instilled first  before that UWP front end/UI will work properly.

So a new from of dependency H E Double Toothpicks ensues!

 

Reply | Quote

Same thing for us. We’ve blocked the store, we get the nvidia control panel thing too.

So.. we have to unblock the store I guess to patch this. However, most of the stuff from the store is on a per user basis, what about this fix? I’ve not seen any mention.

Reply | Quote

What has Windows 10 codec bug to do with Microsoft Store ? I have blocked Microsoft Store and uninstalled all apps too, so no update for me ?

1 user thanked author for this post.

CAS

Reply | Quote

The update is via the store (it’s in the article).

cheers, Paul

1 user thanked author for this post.

woody

Reply | Quote

Yep, it’s a weird one.

I don’t think I’ve ever seen a Windows security update distributed via the Store.

2 users thanked author for this post.

rc primak, Microfix

Reply | Quote

Building on what Brocktoon stated, that the update was for the HEVC video extension (I can’t confirm).  Without much digging you find the video extension does not install by default but must be installed via the store.  So, for those of us with the store blocked, we don’t need it because we never installed that app from the store, right?  I’ll run this by my TAM, will also be interesting what Qualys comes up with as a detection method.  Will report if I find anything.

1 user thanked author for this post.

rc primak

Reply | Quote

You don’t need it if you already uninstalled all apps

those who have “some” apps but not the Store, or blocked the Store, can download the updated appx from this site (the download links will be from Microsoft)
https://store.rg-adguard.net/

in the left box change URL to PackageFamiliyName, and paste the needed appx PFM
those are the codec-related ones
Microsoft.HEIFImageExtension_8wekyb3d8bbwe
Microsoft.VP9VideoExtensions_8wekyb3d8bbwe
Microsoft.WebpImageExtension_8wekyb3d8bbwe

press the check mark button on the right
then download the proper appx file (for x64 system you need both x64 and x86 appx files)
e.g.
Microsoft.HEIFImageExtension_1.0.31572.0_x64__8wekyb3d8bbwe.appx
Microsoft.HEIFImageExtension_1.0.31572.0_x86__8wekyb3d8bbwe.appx

you may need to rename the downloaded files

finally, you can install the updated pacs with double-click (if you still have App Installer)
or via Powershell as administrator

Add-AppxPackage -Path Microsoft.HEIFImageExtension_1.0.31572.0_x64__8wekyb3d8bbwe.appx

4 users thanked author for this post.

CAS, wavy, rc primak, Microfix

Reply | Quote

When I put the product code in I get multiple versions listed.  I can’t find info on which exact version I should have to be patched.
Your post says use 1.0.31572.0 but I also get 1.0.31572.70, which I assume I should grab instead, no?  Same idea happens for the VP9 codec.

I also was only able to install the 64bit version.
Thoughts?  Seems odd but I have never done this before.

Reply | Quote

The .70 version is for eappx (encrypted appx), not for our usage

yes i stand correct, only x64 appx is needed for x64 system (i just checked my 1809 Pro x64)

Reply | Quote

[rc primak]

What has Windows 10 codec bug to do with Microsoft Store ? I have blocked Microsoft Store and uninstalled all apps too, so no update for me ?

See my Post https://www.askwoody.com/forums/topic/win10-codec-security-hole/#post-2277031 . It’s about patents, royalties and keeping the OS core free of third-party properties.

-- rc primak

• This reply was modified 4 years, 8 months ago by rc primak.

Reply | Quote

Alex, based on your response, I blocked MS store. I was unaware that I could do that before reading what you wrote. Hence the “thank you”.

Using Revo (free) I uninstalled every single remaining MS app that was created when I installed Win 10 as well as any connected entries found by the Revo scan after the uninstall.

Just to be certain that everything was okay, I checked the system image health using DISM and found it healthy and intact. I then ran an sfc scan and found no integrity issues. I rebooted my computer and found everything running just fine. The event viewer showed no issues, yesterday or today.

Admittedly, I’m no computer geek, but I think that I’ve done all I can to protect myself against this latest MS codec fiasco. If anyone still thinks I’m still at risk please let me know. I have backed up system images from last month, before and after the installation  of the June updates for 1903 just in case I jumped the gun.

CAS

 

Reply | Quote

I hope the new means of requiring updates through the Microsoft Store doesn’t become standard practice.

• The update installs invisible and silently.
• The update is not through Windows update which would be the usual place to find updates. This update requires new procedures.
• Not everyone uses Microsoft Store, nor allows it to run. There’s quite a spread between installing Candy Crush and a Windows update.
• Toy and computer operations are now mixed.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

5 users thanked author for this post.

rc primak, Carl, Elly, lurks about, woody

Reply | Quote

I know I may not be the brightest lightbulb in the house, but I find this mess a bit confusing.

1) Are the vulnerable codecs installed by default in Win 10 or do they exist because of something installed by the user (e.g. H2.65)?
2) Are these codecs installed/used by 3rd party applications?
3) For those who use local account only (machine not linked to MS account), will they receive the update?
4) Why is the update not pushed through Win Update?
5) Will the fixes be available in the MS Catalog?

Anyway, for anyone interested, while logged into my local account on Win 10 1909, I did the following:

1) Clicked the MS Store icon in the task bar.
2) Click the hamburger in the upper right.
3) Selected “Downloads and updates”.

The “HEVC Video Extension” update then downloaded and installed. I’m assuming this is the fix.

Reply | Quote

1) Yes, in client editions since v1809, expect N editions and LTSC

2) They are ment to be used by UWP apps only

3) Yes

4) UWP apps updates are never pushed via WU/Catalog, Microsoft Store is designed for that

5) Probably not

2 users thanked author for this post.

rc primak, Carl

Reply | Quote

[CAS]

I don’t know whether or not I should be concerned about this issue. I do not ever buy any apps from the MS store.  I sign in locally on Win 10 Pro (1909. 18363. 900) and did not establish an MS account when I first installed Win 10. However, after I did the initial install, I disabled Cortana and all permissions for the few apps that I kept and deleted all the rest, including MS Edge. The only MS Apps that remain are:

1. HEIF Image Extensions. I use InfranView64 for my photos and VLC player for everything else. I checked and there is a Codec package for this app.
2. Get Help. I do not use this at all, ever. That’s what this site is for.
3. MS Photos. I do not use this at all, either.
4. Tips. As with Help, I do not use this at all. Once again, I come here for tips.
5. Voice Recorder. Although I do not use this app, I thought that I might use it some day. Today, I did a search and found several free alternatives.

Revo Uninstaller allows for the complete removal of each of these apps, although I haven’t done it, yet. I kept these apps because I didn’t know what they were or if I would ever need them. I did, however, disable them as well as all permissions that pertain to them.  Now, with this issue, I think it’s best that I remove them. Do you agree? (MS settings will not allow me to either terminate or uninstall them?) Should I be concerned about this codec issue once these apps are removed?

CAS

• This reply was modified 4 years, 8 months ago by CAS.

Reply | Quote

If you need to open files with those codecs or extensions, you’d better keep the apps. And if you need the apps, you’d better be able to update them. I do not recommend removing the Microsoft Store App for this among other reasons.

-- rc primak

Reply | Quote

Well, it seems I’m not the only one that’s confused. Martin over at ghacks has just expressed similar concerns:

Critical Windows Codecs security issue

Scroll to the bottom of the article and see the section “Lack of information is a problem”.

Reply | Quote

OK, so here’s my take on why the patch comes via the Store Apps.

Many codecs have patents associated with them. These in turn cost royalties if the OS vendor uses them in North American editions. (In the EU no one charges for codecs, which is why VLC Player includes them in its core program and extensions/plugins.)

Microsoft decided awhile ago not to support codecs for which they would have to pay royalties. This is why Windows 10 does not natively play DVDs. That feature was moved out to the Microsoft Store. It’s also why the codecs and extensions to use the file formats which require the codecs got moved out to the Microsoft Store. So things which got moved out to the MS Store have to be patched via Store App updates. Just as if you had third-party drivers installed, and they would have to be patched through the vendors. (I never accept third-party driver updates offered through MS Updates.)

Driver-related apps, like control panels, have also been moved out to the MS Store, for some of the same reasons. Personally, I don’t mind updating my Realtek and Intel Control Panels this way. They work just as well, whether they are well-buried alternative features inside of Windows 10, or whether they can be fired up from Start Menu Tiles or Taskbar Shortcuts.

I also have the Intel Drivers and Support Assistant and an Epson Printer drivers and firmware updater, both of which operate as separate apps. Same for my Screenbeam WiDi dongle’s updater and settings app. Some are MS Store Apps, some are Win32 Apps. But each one is no longer part of the Windows OS core.

The idea seems to be to move third-party properties outside of the core OS, and only include Microsoft-owned and developed features inside the core OS. It actually makes sense, and is a practice being pursued by Google, Apple, Canonical (Ubuntu Linux) and Red Hat/Fedora Linux. Web browsers seem also to be moving more and more optional features out into extensions.

These changes make updating a hassle, but they keep the core OS less messy to maintain for the core OS developers and maintainers.

-- rc primak

2 users thanked author for this post.

shagz7, Elly

Reply | Quote

[Alex5723]

anonymous wrote:

I can only assume it did that automaticly and your settings was set to do so.

Microsoft Store in blocked so no background downloads…
I don’t perform clean install, just update the current version, currently use Studio drivers.

• This reply was modified 4 years, 8 months ago by Alex5723.

Reply | Quote

Dear lord…never heard of patches via Windows Store until today…we block that garbage site.  Thanks Microsoft, I really appreciate your continued actions that create work for me while making our organization less secure.

Reply | Quote