News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Win10 codec security hole

    Home Forums AskWoody blog Win10 codec security hole

    Viewing 12 reply threads
    • Author
      Posts
      • #2276706 Reply
        woody
        Da Boss

        This one’s more interesting than the typical Windows zero-day. MS just published a Security Update for CVE-2020-1425 | Microsoft Windows Codecs Librar
        [See the full post at: Win10 codec security hole]

        3 users thanked author for this post.
      • #2276710 Reply
        OscarCP
        AskWoody Plus

        Does this bug affects versions of Windows earlier than 10?

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        • #2276712 Reply
          PKCano
          Da Boss

          Follow the link on the main blog page for the CVE – it shows the versions affected.

          2 users thanked author for this post.
      • #2276715 Reply
        geekdom
        AskWoody Plus

        Two out-of-band patches released:

        https://www.bleepingcomputer.com/news/security/microsoft-releases-oob-security-updates-for-windows-10-rce-bugs/

        G{ot backup} TestBeta
        offline▸ Win7Pro SP1 x64 Storage
        online▸ Win10Pro 1909.18363.900 x64 i5-9400 RAM8GB HDD Firefox79.0b3 Windows{Image/Defender/Firewall}
        1 user thanked author for this post.
        • #2276745 Reply
          woody
          Da Boss

          Yep. That appears to be the Windows Store patches mentioned in the MS post.

          1 user thanked author for this post.
        • #2276749 Reply
          anonymous
          Guest

          Geekdom, good point regarding the out-of-band patches. I was working on a customer’s old Windows 7 Pro 32 bit box to add a FF add on as Admin and it restarted slowly and showing 2 critical updates. The 2 updates were noted in the restore point logs. In his Box’s Your Update history for windows 7 there were only 1 update for KB2310138 which I assume is a Defender or Security Essentials virus definition update. I see his updates are turned off for this old Windows 7 machine and no extended contract.

          Remove if this is a dup.

      • #2276726 Reply
        Brocktoon
        AskWoody Lounger

        I just got a HEVC Video Extension update pushed via the Microsoft Store, so I figure that’s probably the security patch/update

        1 user thanked author for this post.
      • #2276734 Reply
        PerthMike
        AskWoody Plus

        Oh for crying out loud. Now we need to unblock the Store in order to get core OS security updates? FFS, Microsoft. This is why we have WSUS, so we don’t need to phone home to Microsoft (or get a flood of pushed software and bad drivers from the store.

        Just the other day I built a new install on a PC, and accidentally left the Store un-blocked for a few minutes. Before I had a chance to even install the vendor drivers, the stupid OS had sucked down all the Store-issued hardware drivers.

        No matter where you go, there you are.

        3 users thanked author for this post.
        • #2276768 Reply
          Carl D
          AskWoody Lounger

          Not sure if it has been discussed here already but a lot of people are annoyed that you now can only get the NVIDIA Control Panel for Windows 10 from the Microsoft Store as well these days. It isn’t included with the drivers.

          Huh? Why? My guess is that MS need to do something to get people “interested” in their store. Seems like there’s mainly been tumbleweeds blowing around in there since it opened.

          I don’t need the NVIDIA Control Panel – I just want the drivers but I notice a “helpful” message pops up in the bottom right hand corner of the screen every time I install or update the NVIDIA graphics drivers in Windows 10 telling me I can get the Control Panel from the store… “Click Here to get it”. I just ignore it and it goes away.

          Oh, the NVIDIA Control Panel is still included in the latest drivers for Windows 7, I notice. Funny about that.

          Gigabyte GA-B250M-D3H Motherboard, Intel i5-7600 CPU, 32GB RAM, NVIDIA GeForce GTX 1050 Graphics Card, 1x Samsung 860 EVO 250GB SSD, 1x Samsung 850 EVO 250GB SSD, Windows 10 Professional 2004 64bit.

          1 user thanked author for this post.
          • #2276770 Reply
            anonymous
            Guest

            They trying to push that but under “NVIDIA>Download Drivers>Advanced Driver Search” select driver type standard and you will have control panel included. DCH are the win store ones.

            GeForce Game Ready Driver WHQL 451.48 24.6.2020

            1 user thanked author for this post.
            • #2276867 Reply
              anonymous
              Guest

              thought it may be helpful to add that you have to click on “Beta and Older Drivers” to get that Advanced Driver Search page…

              Took me some time to figure that one out since never in my mind would i click on something called “Beta and Older Drivers” when I want to get hold of a stable up to date released driver.

              Seems like many companies are very eager to be number one on my s***list these days.

              Anyhow you made me look for it so a thanks is in order, highly appreciated.

            • #2277057 Reply
              wavy
              AskWoody Plus

              They trying to push that but under “NVIDIA>Download Drivers>Advanced Driver Search” select driver type standard and you will have control panel included. DCH are the win store ones.

              Is that the same as the studio drivers?
              I believe I ended up with the control panel w/o out a MS account on my newis install. its a PITA to be forced to use the ‘store’ as i did on a previous install

              🍻

              Just because you don't know where you are going doesn't mean any road will get you there.
              • #2277110 Reply
                Alex5723
                AskWoody Plus

                DCH Game drivers are not the same as Studio drivers.
                I download directly from Nvidia and get the control panel.

                1 user thanked author for this post.
              • #2277218 Reply
                anonymous
                Guest

                @Alex5723

                You linked to the DCH driver, this needs to download the control panel via MS Store on Windows 10. If you think you got it without downloading it via the Store I can only assume it did that automaticly and your settings was set to do so. Either which way, if you do a fresh install the DCH version on a offline machine will not give you the control panel.

                You get the none DCH version here, and choose “Standard” version. https://www.nvidia.com/Download/Find.aspx?lang=en-us

                (You have to click on “Beta and Older Drivers” on default site to get that Advanced Driver Search page)

                1 user thanked author for this post.
          • #2277036 Reply
            anonymous
            Guest

            I’ve got an ASUS Laptop and the Control Software coming from the MS store and what a headache that’s been that’s never got some features working properly. And some UWP app that is the UI/front end device functionality is made functional via  some needed service that has to be installed first before the UWP based front end/UI! And that’s not working out so well with that all bundled together and no proper way to assure that the UWP part gets installed after the service part that needs to be instilled first  before that UWP front end/UI will work properly.

            So a new from of dependency H E Double Toothpicks ensues!

             

        • #2277125 Reply
          it1
          AskWoody Plus

          Same thing for us. We’ve blocked the store, we get the nvidia control panel thing too.

          So.. we have to unblock the store I guess to patch this. However, most of the stuff from the store is on a per user basis, what about this fix? I’ve not seen any mention.

      • #2276779 Reply
        Alex5723
        AskWoody Plus

        What has Windows 10 codec bug to do with Microsoft Store ? I have blocked Microsoft Store and uninstalled all apps too, so no update for me ?

        1 user thanked author for this post.
        CAS
        • #2276808 Reply
          Paul T
          AskWoody MVP

          The update is via the store (it’s in the article).

          cheers, Paul

          1 user thanked author for this post.
          • #2276827 Reply
            woody
            Da Boss

            Yep, it’s a weird one.

            I don’t think I’ve ever seen a Windows security update distributed via the Store.

            2 users thanked author for this post.
        • #2276858 Reply
          Quazi11
          AskWoody Lounger

          Building on what Brocktoon stated, that the update was for the HEVC video extension (I can’t confirm).  Without much digging you find the video extension does not install by default but must be installed via the store.  So, for those of us with the store blocked, we don’t need it because we never installed that app from the store, right?  I’ll run this by my TAM, will also be interesting what Qualys comes up with as a detection method.  Will report if I find anything.

          1 user thanked author for this post.
        • #2276911 Reply
          abbodi86
          AskWoody_MVP

          You don’t need it if you already uninstalled all apps

          those who have “some” apps but not the Store, or blocked the Store, can download the updated appx from this site (the download links will be from Microsoft)
          https://store.rg-adguard.net/

          in the left box change URL to PackageFamiliyName, and paste the needed appx PFM
          those are the codec-related ones
          Microsoft.HEIFImageExtension_8wekyb3d8bbwe
          Microsoft.VP9VideoExtensions_8wekyb3d8bbwe
          Microsoft.WebpImageExtension_8wekyb3d8bbwe

          press the check mark button on the right
          then download the proper appx file (for x64 system you need both x64 and x86 appx files)
          e.g.
          Microsoft.HEIFImageExtension_1.0.31572.0_x64__8wekyb3d8bbwe.appx
          Microsoft.HEIFImageExtension_1.0.31572.0_x86__8wekyb3d8bbwe.appx

          you may need to rename the downloaded files

          finally, you can install the updated pacs with double-click (if you still have App Installer)
          or via Powershell as administrator

          Add-AppxPackage -Path Microsoft.HEIFImageExtension_1.0.31572.0_x64__8wekyb3d8bbwe.appx

          4 users thanked author for this post.
          • #2276982 Reply
            anonymous
            Guest

            When I put the product code in I get multiple versions listed.  I can’t find info on which exact version I should have to be patched.
            Your post says use 1.0.31572.0 but I also get 1.0.31572.70, which I assume I should grab instead, no?  Same idea happens for the VP9 codec.

            I also was only able to install the 64bit version.
            Thoughts?  Seems odd but I have never done this before.

            • #2277030 Reply
              abbodi86
              AskWoody_MVP

              The .70 version is for eappx (encrypted appx), not for our usage

              yes i stand correct, only x64 appx is needed for x64 system (i just checked my 1809 Pro x64)

        • #2277034 Reply
          rc primak
          AskWoody_MVP

          What has Windows 10 codec bug to do with Microsoft Store ? I have blocked Microsoft Store and uninstalled all apps too, so no update for me ?

          See my Post https://www.askwoody.com/forums/topic/win10-codec-security-hole/#post-2277031 . It’s about patents, royalties and keeping the OS core free of third-party properties.

          -- rc primak

          • This reply was modified 2 days, 13 hours ago by rc primak.
        • #2277184 Reply
          CAS
          AskWoody Plus

          Alex, based on your response, I blocked MS store. I was unaware that I could do that before reading what you wrote. Hence the “thank you”.

          Using Revo (free) I uninstalled every single remaining MS app that was created when I installed Win 10 as well as any connected entries found by the Revo scan after the uninstall.

          Just to be certain that everything was okay, I checked the system image health using DISM and found it healthy and intact. I then ran an sfc scan and found no integrity issues. I rebooted my computer and found everything running just fine. The event viewer showed no issues, yesterday or today.

          Admittedly, I’m no computer geek, but I think that I’ve done all I can to protect myself against this latest MS codec fiasco. If anyone still thinks I’m still at risk please let me know. I have backed up system images from last month, before and after the installation  of the June updates for 1903 just in case I jumped the gun.

          CAS

           

      • #2276845 Reply
        geekdom
        AskWoody Plus

        I hope the new means of requiring updates through the Microsoft Store doesn’t become standard practice.

        • The update installs invisible and silently.
        • The update is not through Windows update which would be the usual place to find updates. This update requires new procedures.
        • Not everyone uses Microsoft Store, nor allows it to run. There’s quite a spread between installing Candy Crush and a Windows update.
        • Toy and computer operations are now mixed.
        G{ot backup} TestBeta
        offline▸ Win7Pro SP1 x64 Storage
        online▸ Win10Pro 1909.18363.900 x64 i5-9400 RAM8GB HDD Firefox79.0b3 Windows{Image/Defender/Firewall}
        5 users thanked author for this post.
      • #2276938 Reply
        Carl
        AskWoody Plus

        I know I may not be the brightest lightbulb in the house, but I find this mess a bit confusing.

        1) Are the vulnerable codecs installed by default in Win 10 or do they exist because of something installed by the user (e.g. H2.65)?
        2) Are these codecs installed/used by 3rd party applications?
        3) For those who use local account only (machine not linked to MS account), will they receive the update?
        4) Why is the update not pushed through Win Update?
        5) Will the fixes be available in the MS Catalog?

        Anyway, for anyone interested, while logged into my local account on Win 10 1909, I did the following:

        1) Clicked the MS Store icon in the task bar.
        2) Click the hamburger in the upper right.
        3) Selected “Downloads and updates”.

        The “HEVC Video Extension” update then downloaded and installed. I’m assuming this is the fix.

        • #2276989 Reply
          abbodi86
          AskWoody_MVP

          1) Yes, in client editions since v1809, expect N editions and LTSC

          2) They are ment to be used by UWP apps only

          3) Yes

          4) UWP apps updates are never pushed via WU/Catalog, Microsoft Store is designed for that

          5) Probably not

          2 users thanked author for this post.
      • #2276939 Reply
        CAS
        AskWoody Plus

        I don’t know whether or not I should be concerned about this issue. I do not ever buy any apps from the MS store.  I sign in locally on Win 10 Pro (1909. 18363. 900) and did not establish an MS account when I first installed Win 10. However, after I did the initial install, I disabled Cortana and all permissions for the few apps that I kept and deleted all the rest, including MS Edge. The only MS Apps that remain are:

        1. HEIF Image Extensions. I use InfranView64 for my photos and VLC player for everything else. I checked and there is a Codec package for this app.
        2. Get Help. I do not use this at all, ever. That’s what this site is for.
        3. MS Photos. I do not use this at all, either.
        4. Tips. As with Help, I do not use this at all. Once again, I come here for tips.
        5. Voice Recorder. Although I do not use this app, I thought that I might use it some day. Today, I did a search and found several free alternatives.

        Revo Uninstaller allows for the complete removal of each of these apps, although I haven’t done it, yet. I kept these apps because I didn’t know what they were or if I would ever need them. I did, however, disable them as well as all permissions that pertain to them.  Now, with this issue, I think it’s best that I remove them. Do you agree? (MS settings will not allow me to either terminate or uninstall them?) Should I be concerned about this codec issue once these apps are removed?

        CAS

        • This reply was modified 2 days, 16 hours ago by CAS.
        • #2277032 Reply
          rc primak
          AskWoody_MVP

          If you need to open files with those codecs or extensions, you’d better keep the apps. And if you need the apps, you’d better be able to update them. I do not recommend removing the Microsoft Store App for this among other reasons.

          -- rc primak

      • #2276969 Reply
        Carl
        AskWoody Plus

        Well, it seems I’m not the only one that’s confused. Martin over at ghacks has just expressed similar concerns:

        Critical Windows Codecs security issue

        Scroll to the bottom of the article and see the section “Lack of information is a problem”.

      • #2277031 Reply
        rc primak
        AskWoody_MVP

        OK, so here’s my take on why the patch comes via the Store Apps.

        Many codecs have patents associated with them. These in turn cost royalties if the OS vendor uses them in North American editions. (In the EU no one charges for codecs, which is why VLC Player includes them in its core program and extensions/plugins.)

        Microsoft decided awhile ago not to support codecs for which they would have to pay royalties. This is why Windows 10 does not natively play DVDs. That feature was moved out to the Microsoft Store. It’s also why the codecs and extensions to use the file formats which require the codecs got moved out to the Microsoft Store. So things which got moved out to the MS Store have to be patched via Store App updates. Just as if you had third-party drivers installed, and they would have to be patched through the vendors. (I never accept third-party driver updates offered through MS Updates.)

        Driver-related apps, like control panels, have also been moved out to the MS Store, for some of the same reasons. Personally, I don’t mind updating my Realtek and Intel Control Panels this way. They work just as well, whether they are well-buried alternative features inside of Windows 10, or whether they can be fired up from Start Menu Tiles or Taskbar Shortcuts.

        I also have the Intel Drivers and Support Assistant and an Epson Printer drivers and firmware updater, both of which operate as separate apps. Same for my Screenbeam WiDi dongle’s updater and settings app. Some are MS Store Apps, some are Win32 Apps. But each one is no longer part of the Windows OS core.

        The idea seems to be to move third-party properties outside of the core OS, and only include Microsoft-owned and developed features inside the core OS. It actually makes sense, and is a practice being pursued by Google, Apple, Canonical (Ubuntu Linux) and Red Hat/Fedora Linux. Web browsers seem also to be moving more and more optional features out into extensions.

        These changes make updating a hassle, but they keep the core OS less messy to maintain for the core OS developers and maintainers.

        -- rc primak

      • #2277266 Reply
        Alex5723
        AskWoody Plus

        I can only assume it did that automaticly and your settings was set to do so.

        Microsoft Store in blocked so no background downloads…
        I don’t perform clean install, just update the current version, currently use Studio drivers.

        • This reply was modified 1 day, 16 hours ago by Alex5723.
        Attachments:
      • #2277324 Reply
        anonymous
        Guest

        Dear lord…never heard of patches via Windows Store until today…we block that garbage site.  Thanks Microsoft, I really appreciate your continued actions that create work for me while making our organization less secure.

    Viewing 12 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Win10 codec security hole

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.