News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger

    Home Forums AskWoody blog Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger

    Viewing 8 reply threads
    • Author
      • #2277636 Reply
        Da Boss

        In my monthly patch roundup, I kvetched about the bizarre (unprecedented?) security patches MS decided to distribute through the Microsoft Store. The
        [See the full post at: Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger]

        6 users thanked author for this post.
      • #2277642 Reply
        AskWoody Lounger

        It’s weird seeing GARGANTUAN companies like Microsoft making decisions and mistakes like small, amateur / start-up companies. Has all the experienced talent just, left? :/

        3 users thanked author for this post.
        • #2277650 Reply
          lurks about
          AskWoody Plus

          MS used to have 1 method for updating Windows. It was relatively straightforward and manageable. All relevant updates showed up in one place. Now I think I have seen 3 different update methods recently for Windows. This is not straightforward nor manageable as now one has to be able to use these methods and worse know what updates in each channel are needed for your system.

          3 users thanked author for this post.
          • #2277673 Reply
            Da Boss

            Yep, in fact three different channels were used in June. (Described in the article.)

            It’s worse than bothersome – and generally not documented.

      • #2277681 Reply

        I had “HEVC Video Extensions from Device Manufacturer” listed as installed at Settings, Apps.

        It was a vulnerable version 1.0.31053.0 which I believe was installed from Microsoft Store a couple of years ago after I read an article like this one which said it was freely available (but only via a Store link as it doesn’t get shown in search results):
        How to View HEVC or HEIC Files in Windows 10 for Free

        I tried “Get updates” in the Store numerous times but an update was never found.

        Eventually I was able to update to the secure version 1.0.31823.0 by reinstalling from the Store by using this link:

        1 user thanked author for this post.
      • #2277690 Reply
        AskWoody Plus

        So if I may ask @sb or @woody … if the HVEC codec (v1.0.31053.0 in my 1909 installation) has been installed (behind the scenes and unbeknownst to me) by running a normal update from one Win 10 version to another (e.g. 1803 to 1909), is it recommended that we try to update this codec via the Windows Store at this time … or await further information/direction from MS?

        Happy 4th, and many thanks!

      • #2277703 Reply

        Mine updated to 1.0.31823.0 without any problems on June 30th. Maybe microsoft should just get out of the business of shipping codecs. I would never use built-in codecs to watch videos; the only reason I installed the HEVC pack was to use with Microsoft ICE, which can work with Media Foundation codecs but unfortunately not with direct show ones.

      • #2277802 Reply
        AskWoody Plus

        I discovered another weird Microsoft issue this morning. It is harmless but what the blazes is wrong with Microsoft?? I have Windows 10 Pro and automatic updates are blocked since Microsoft installed the server version instead of the desktop version of an update last November. Today, I found updates installed on 07/03/20. I did not approve them. It gets even weirder because they are installed in my Stardock Start 10 folder which is located in my user files under appdata roaming.  The July 3rd update is to fix the supposed Microsoft Store HEVC mess. I have no idea how it got on my machine but it’s fixed?? That is interesting because I do not use the Microsoft Store at all. Why? Because my trust in Microsoft is at about a minus 50 after the mess they made last November. I’ve been into computers since 1964 and I have never seen anything like the mess Microsoft has made with Windows 8 and now with Windows 10. Nothing seems to stop them making one mess after another.

        • This reply was modified 3 months, 3 weeks ago by Cameochi.
        • #2277804 Reply
          AskWoody Plus

          If you have Microsoft Store on your machine, those updates will automatically install. Microsoft Store usage is not the qualifying condition.

          G{ot backup} TestBeta
          offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3
          online▸ Win10Pro 2004.19041.572 x64 i5-9400 RAM16GB HDD Firefox83.0b4 WindowsDefender
          • #2277809 Reply
            Da Boss

            In the MS Store App, under the (…) menu\Settings there is a switch to turn OFF “download updates automatically.”

            1 user thanked author for this post.
            • #2278408 Reply
              AskWoody Plus

              Hmm, I have the MS Store “(…) menu\Settings\App updates\Update apps automatically” switched on, and I haven’t received any update to this HVEC codec as yet.  I guess if I wait long enough, MS will get round to me.

              As in my last post #2277690 in this thread, I would love to hear advice from @sb or @woody or another member of the team, as to what to do, and when.

              Thanks again.

              • This reply was modified 3 months, 3 weeks ago by tcc089.
      • #2277847 Reply
        AskWoody Plus

        There’s been some misinformation/confusion surrounding this security update (understatement /s).

        1) As far as I can determine, the HEVC codec (aka H.265) no longer exists in a default Windows installation (since 1709 Fall Creators Update). Likely due to HVEC royalty/licensing issues, Microsoft supports the competing royalty-free AV1 coding format which was finalized in March 2018.

        2) The (optional) HEVC codec is available in the MS Store for 99 cents. However, there is a free download link intended for developers. See post above.

        3) With this codec installed, H.265 videos can be displayed with Windows Media Player (wmplayer) and the Movies & TV app.

        4) Even though a codec is NOT an “app”, Microsoft chose to distribute the update via the MS Store presumably because this is where users obtained this particular codec pack and it is listed under “Windows Settings” -> “Apps & features”. I don’t agree, but ….

        5) Some 3rd party applications that support H.265 include VLC media player, Handbrake, and ffmpeg. As far as I can tell, these are not impacted because they rely on different codec packages/libraries (either the open source x265 or Kvazaar HEVC).

        Could someone who has not installed HVEC from the MS store check whether or not they can display H.265 videos using Media Player? You can test Windows/hardware HVEC support by downloading some small H.265 video test files from here:

        Sample HEVC Video Files

        Some sources for HEVC codecs other than Microsoft:

        x265 HEVC encoder (GNU GPL)
        Kvazaar HEVC encoder (academic)

        More information:

        Wikipedia: High Efficiency Video Coding
        VLC Security Bulletins

        • This reply was modified 3 months, 3 weeks ago by PKCano.
        • This reply was modified 3 months, 3 weeks ago by Carl.
        • #2277855 Reply
          AskWoody Plus

          Windows Media Player (Windows 10 1909 Pro, no HEVC codec) doesn’t play x265 files.
          MPC-HC does play x265.


          • #2277864 Reply
            AskWoody Plus

            Thanks Alex.

            I guess it’s safe to assume that the codec is NOT included in a default installation of 1909 then. I have 1909 Pro on one machine with the HEVC download from MS Store and it does play H.265 sample files.

      • #2278051 Reply
        AskWoody Plus

        H.266/VVC codec released as successor to H.265/HEVC

        Fraunhofer HHI is proud to present the new state-of-the-art in global video coding: H.266/VVC brings video transmission to new spee

        After devoting several years to its research and standardization, Fraunhofer HHI (together with partners from industry including Apple, Ericsson, Intel, Huawei, Microsoft, Qualcomm, and Sony) is celebrating the release and official adoption of the new global video coding standard H.266/Versatile Video Coding (VVC). This new standard offers improved compression, which reduces data requirements by around 50% of the bit rate relative to the previous standard H.265/High Efficiency Video Coding (HEVC) without compromising visual quality. In other words, H.266/VVC offers faster video transmission for equal perceptual quality. Overall, H.266/VVC provides efficient transmission and storage of all video resolutions from SD to HD up to 4K and 8K, while supporting high dynamic range video and omnidirectional 360° video.

      • #2278637 Reply

        I’m seeing these codecs installed in a large number of Dell Optiplex PCs which were freshly installed last October. The PCs have Intel video chipsets with HEVC hardware decoding support, so the codecs are probably specially licensed by Intel or Dell and Dell included them in their base image.

        Because the codecs require royalties, Microsoft may not distribute them via generally available channels like Windows Update, even for security reasons. I would speculate that the Microsoft Store has some kind of entitlement checking built in to it, or Dell provided some kind of license with the original package.

        Like all AppX packages, the codecs are installed on a per-userprofile basis. The good news is that if any one user installs an update, the package is staged to install on login for any other user. The bad news is that despite what Microsoft says, the package (for me) requires manually checking for updates in the app store.

        I have been unable to find a way to non-interactively run Store updates or install the packages manually. However you can check for vulnerable packages with Powershell as administrator:

        Get-AppXPackage -AllUsers -Name Microsoft.HEVC*

        and check the version. Beware: you must check for AllUsers or it won’t search the userprofiles for the package at all.

    Viewing 8 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Those two weird Microsoft Store fixes for Windows security flaws keep getting stranger

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.