• Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger

    Home » Forums » Newsletter and Homepage topics » Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger

    Author
    Topic
    #2277636

    In my monthly patch roundup, I kvetched about the bizarre (unprecedented?) security patches MS decided to distribute through the Microsoft Store. The
    [See the full post at: Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger]

    6 users thanked author for this post.
    Viewing 7 reply threads
    Author
    Replies
    • #2277642

      It’s weird seeing GARGANTUAN companies like Microsoft making decisions and mistakes like small, amateur / start-up companies. Has all the experienced talent just, left? :/

      3 users thanked author for this post.
      • #2277650

        MS used to have 1 method for updating Windows. It was relatively straightforward and manageable. All relevant updates showed up in one place. Now I think I have seen 3 different update methods recently for Windows. This is not straightforward nor manageable as now one has to be able to use these methods and worse know what updates in each channel are needed for your system.

        3 users thanked author for this post.
        • #2277673

          Yep, in fact three different channels were used in June. (Described in the article.)

          It’s worse than bothersome – and generally not documented.

    • #2277681

      I had “HEVC Video Extensions from Device Manufacturer” listed as installed at Settings, Apps.

      It was a vulnerable version 1.0.31053.0 which I believe was installed from Microsoft Store a couple of years ago after I read an article like this one which said it was freely available (but only via a Store link as it doesn’t get shown in search results):
      How to View HEVC or HEIC Files in Windows 10 for Free

      I tried “Get updates” in the Store numerous times but an update was never found.

      Eventually I was able to update to the secure version 1.0.31823.0 by reinstalling from the Store by using this link:

      https://www.microsoft.com/en-us/p/hevc-video-extensions-from-device-manufacturer/9n4wgh0z6vhq

      1 user thanked author for this post.
    • #2277690

      So if I may ask @sb or @woody … if the HVEC codec (v1.0.31053.0 in my 1909 installation) has been installed (behind the scenes and unbeknownst to me) by running a normal update from one Win 10 version to another (e.g. 1803 to 1909), is it recommended that we try to update this codec via the Windows Store at this time … or await further information/direction from MS?

      Happy 4th, and many thanks!

    • #2277703

      Mine updated to 1.0.31823.0 without any problems on June 30th. Maybe microsoft should just get out of the business of shipping codecs. I would never use built-in codecs to watch videos; the only reason I installed the HEVC pack was to use with Microsoft ICE, which can work with Media Foundation codecs but unfortunately not with direct show ones.

    • #2277802

      I discovered another weird Microsoft issue this morning. It is harmless but what the blazes is wrong with Microsoft?? I have Windows 10 Pro and automatic updates are blocked since Microsoft installed the server version instead of the desktop version of an update last November. Today, I found updates installed on 07/03/20. I did not approve them. It gets even weirder because they are installed in my Stardock Start 10 folder which is located in my user files under appdata roaming.  The July 3rd update is to fix the supposed Microsoft Store HEVC mess. I have no idea how it got on my machine but it’s fixed?? That is interesting because I do not use the Microsoft Store at all. Why? Because my trust in Microsoft is at about a minus 50 after the mess they made last November. I’ve been into computers since 1964 and I have never seen anything like the mess Microsoft has made with Windows 8 and now with Windows 10. Nothing seems to stop them making one mess after another.

      • This reply was modified 3 years, 7 months ago by Cameochi.
      • #2277804

        If you have Microsoft Store on your machine, those updates will automatically install. Microsoft Store usage is not the qualifying condition.

        On permanent hiatus {with backup and coffee}
        offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
        offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
        online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender
        • #2277809

          In the MS Store App, under the (…) menu\Settings there is a switch to turn OFF “download updates automatically.”

          1 user thanked author for this post.
          • #2278408

            Hmm, I have the MS Store “(…) menu\Settings\App updates\Update apps automatically” switched on, and I haven’t received any update to this HVEC codec as yet.  I guess if I wait long enough, MS will get round to me.

            As in my last post #2277690 in this thread, I would love to hear advice from @sb or @woody or another member of the team, as to what to do, and when.

            Thanks again.

            • This reply was modified 3 years, 7 months ago by tcc089.
    • #2277847

      There’s been some misinformation/confusion surrounding this security update (understatement /s).

      1) As far as I can determine, the HEVC codec (aka H.265) no longer exists in a default Windows installation (since 1709 Fall Creators Update). Likely due to HVEC royalty/licensing issues, Microsoft supports the competing royalty-free AV1 coding format which was finalized in March 2018.

      2) The (optional) HEVC codec is available in the MS Store for 99 cents. However, there is a free download link intended for developers. See post above.

      3) With this codec installed, H.265 videos can be displayed with Windows Media Player (wmplayer) and the Movies & TV app.

      4) Even though a codec is NOT an “app”, Microsoft chose to distribute the update via the MS Store presumably because this is where users obtained this particular codec pack and it is listed under “Windows Settings” -> “Apps & features”. I don’t agree, but ….

      5) Some 3rd party applications that support H.265 include VLC media player, Handbrake, and ffmpeg. As far as I can tell, these are not impacted because they rely on different codec packages/libraries (either the open source x265 or Kvazaar HEVC).

      Could someone who has not installed HVEC from the MS store check whether or not they can display H.265 videos using Media Player? You can test Windows/hardware HVEC support by downloading some small H.265 video test files from here:

      Sample HEVC Video Files

      Some sources for HEVC codecs other than Microsoft:

      x265 HEVC encoder (GNU GPL)
      Kvazaar HEVC encoder (academic)

      More information:

      Wikipedia: High Efficiency Video Coding
      VLC Security Bulletins

      • This reply was modified 3 years, 7 months ago by PKCano.
      • This reply was modified 3 years, 7 months ago by Carl.
      • #2277855

        Windows Media Player (Windows 10 1909 Pro, no HEVC codec) doesn’t play x265 files.
        MPC-HC does play x265.

        hevc

        • #2277864

          Thanks Alex.

          I guess it’s safe to assume that the codec is NOT included in a default installation of 1909 then. I have 1909 Pro on one machine with the HEVC download from MS Store and it does play H.265 sample files.

    • #2278051

      H.266/VVC codec released as successor to H.265/HEVC

      Fraunhofer HHI is proud to present the new state-of-the-art in global video coding: H.266/VVC brings video transmission to new spee

      After devoting several years to its research and standardization, Fraunhofer HHI (together with partners from industry including Apple, Ericsson, Intel, Huawei, Microsoft, Qualcomm, and Sony) is celebrating the release and official adoption of the new global video coding standard H.266/Versatile Video Coding (VVC). This new standard offers improved compression, which reduces data requirements by around 50% of the bit rate relative to the previous standard H.265/High Efficiency Video Coding (HEVC) without compromising visual quality. In other words, H.266/VVC offers faster video transmission for equal perceptual quality. Overall, H.266/VVC provides efficient transmission and storage of all video resolutions from SD to HD up to 4K and 8K, while supporting high dynamic range video and omnidirectional 360° video.

    • #2278637

      I’m seeing these codecs installed in a large number of Dell Optiplex PCs which were freshly installed last October. The PCs have Intel video chipsets with HEVC hardware decoding support, so the codecs are probably specially licensed by Intel or Dell and Dell included them in their base image.

      Because the codecs require royalties, Microsoft may not distribute them via generally available channels like Windows Update, even for security reasons. I would speculate that the Microsoft Store has some kind of entitlement checking built in to it, or Dell provided some kind of license with the original package.

      Like all AppX packages, the codecs are installed on a per-userprofile basis. The good news is that if any one user installs an update, the package is staged to install on login for any other user. The bad news is that despite what Microsoft says, the package (for me) requires manually checking for updates in the app store.

      I have been unable to find a way to non-interactively run Store updates or install the packages manually. However you can check for vulnerable packages with Powershell as administrator:

      Get-AppXPackage -AllUsers -Name Microsoft.HEVC*

      and check the version. Beware: you must check for AllUsers or it won’t search the userprofiles for the package at all.

    Viewing 7 reply threads
    Reply To: Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: