News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Another HEVC codec bug fixed via the Microsoft Store – plus a couple of updates on this month’s mayhem

    Posted on October 15th, 2020 at 22:58 woody Comment on the AskWoody Lounge

    Back in July I wrote about two weird Microsoft Store patches for a couple of security holes in the HEVC codecs, which are programs that Microsoft created to let you play Apple HEVC files. (Protip: You probably don’t have them, unless you’ve installed codecs from the Store.)

    Now comes word that we have another identified security hole in that same HEVC codecs,

    CVE-2020-17022

    This warning isn’t for everybody. Per MS,

    Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.

    So unless you’ve specifically downloaded the Microsoft codec, you don’t need to worry about it – but be aware that this one is also coming through Windows Update the Microsoft Store. There’s a lengthy discussion of versions in the KB article.

    The announcement also says that CVE-2020-17022 is a security hole in Remote Desktop Services, but it isn’t. Be calm, grasshopper.

    There’s also a bug for Visual Studio programmers, CVE-2020-17023, which involves opening a nasty package.json file. If you’re using Visual Studio, watch out.

    Finally, we have CVE-2020-16943, which was just updated (the original notice was released on Patch Tuesday). The problem? This security hole is in Microsoft Dynamics 365 Commerce. Microsoft posted about the fix on Patch Tuesday and then decided, two days later, to tell people that it doesn’t yet have a fix:

    The security update for Dynamics 365 Commerce is not immediately available. The update will be released as soon as possible, and when it becomes available, customers will be notified via a revision to this CVE information.

    Golly.