Windows 10 security patches are causing all sorts of problems – and people aren’t happy
Confusion abounds concerning a pair of fixes for Windows 10 codecs
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Usesr have been left puzzled afterWindows 10received a couple of important security fixes for some major flaws in Windows media codecs.
However rather than the typically used channel of Windows Update,Microsoftpushed out these updates via the Microsoft Store – confusing a lot of users in the process.
In fact, there’s been a lot of head-scratching around both these fixes for serious problems related to the codecs, which were released out-of-band (meaning not on Microsoft’s typical monthly security patch schedule).
The vulnerabilities areCVE-2020-1425andCVE-2020-1457asAsk Woodyhighlights, and they potentially allow an attacker to “obtain information to further compromise the user’s system”, or execute arbitrary code, respectively.
They can be exploited via a “specially crafted image file”, and as Microsoft notes, these updates remedy the situation by correcting how the Windows Codecs Library handles objects in memory.
As Ask Woody reports, the appearance of these security fixes worried some folks who were wondering exactly why the patches were only offered toWindows 10clients via the Microsoft Store, rather than using Windows Update as mentioned.
Microsoft’s answer is that the affected HEVC codec package is an optional component which can be downloaded from the Microsoft Store (or grabbed by an app which requires it).
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In other words, it isn’t included with Windows 10 by default, hence Microsoft not using Windows Update for distribution.
Windows 10 confusion
There has been a fair bit of confusion, though, because the HEIC images – the exploitation path, as mentioned, is via one such specially crafted image file – do seem to be present on Windows 10 systems, and it’s not clear if that might be problematic in itself.
Presumably not, given Microsoft’s stance here, butBleeping Computerwhich also reported on this issue asked Zero Day Initiative researcher Abdul-Aziz Hariri – who found these vulnerabilities – whether the HEIC images could be a security hole in themselves, and Hariri said that he “was not sure if they were patched as well”.
So, you can see how the bewilderment and worry is coming in here, and this is compounded by another problem – namely that some users may not receive the update automatically via the Microsoft Store as they should do, because the organization they’re employed by has disabled the store (or at least automatic updates from the store).
Furthermore, on top of that, some of those who are installing the patch from the Microsoft Store are witnessing it fail with an ‘access denied’ error.
⚠ Houston we have a(nother) problem ⚠CVE-2020-1425 / CVE-2020-1457 might (silently) fail with “access denied”. Not all store apps though. see screen@sudhagart @WindowsUpdate @rWinSec Given the #secflaw this is criticalfeedback https://t.co/OYctLjLtoe pic.twitter.com/nzKqAhq5hDJuly 4, 2020
All in all, then, Microsoft’s resolution of this particular pair of vulnerabilities seems to have got pretty messy and unsatisfactory.
Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - ‘I Know What You Did Last Supper’ - was published by Hachette UK in 2013).
Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days
A new form of macOS malware is being used by devious North Korean hackers
OLED vs Mini-LED: which TV type is best?
