• Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger

    In my monthly patch roundup, I kvetched about the bizarre (unprecedented?) security patches MS decided to distribute through the Microsoft Store. The approach to distributing the cures for CVE-2020-1425 and CVE-2020-1457 make no sense.

    The Store may be the worst possible place to hide security patches except, maybe, individual emails. And the documentation for these guys rates among the worst in Microsoft’s history. Believe me, that’s saying something.

    When the patches were first released on Tuesday, there was no – zero – description of the reason for the patches. Then, on Wednesday, somebody decided to enlighten us a bit and posted this:

    Is Windows vulnerable in the default configuration?

    No. Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.

    How do I get the updated Windows Media Codec?

    Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update.

    Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.

    Why are these security updates offered to affected clients via the Microsoft Store and not Windows Update?

    These updates are for optional apps/components that are offered to customers as a download via the Microsoft Store. Updates for optional store apps/components are provided via the Microsoft Store.

    The distribution method is riddled with all sorts of obvious holes – I mean, anybody with any sort of updating experience should’ve been able to compile a list of a half dozen ways that this could go wrong.

    Then came the outright errors.

    First, @abbodi86 pointed out that the first point isn’t complete (I’m giving MS the benefit of the doubt here):

    The optional HEVC codec exists by default in Windows Client editions since version 1809, except N and LTSC editions.

    Now, Karl Webster-Ebbinghaus has tweeted that the second and fourth points aren’t exactly right either:

    CVE-2020-1425 / CVE-2020-1457 might (silently) fail with “access denied”

    Günter Born  on Borncity talks about the conundrum.

    Yet another unholy mess.