Microsoft pushes fix for two vulnerabilities in the Windows Codecs Library

Security Now
|

Automatic TRANSCRIPT

US cert posted last a Tuesday on June thirtieth. Microsoft has released information regarding vulnerabilities and they're oddly low numbered so apparently Microsoft is known of them for a while there twenty, twenty, fourteen, twenty, five and fourteen, fifty seven, the CV designations in Microsoft, Windows Codex Library. they said this contains updates that are rated as critical. Remote attackers leveraging these vulnerabilities may be able to execute arbitrary code for more information. The vulnerabilities please refer to the information provided by Microsoft and of course it's like Oh. What's this because again? This was this is out of cycle this. This is the end of the end of June. They didn't even feel they could wait. A couple of weeks until July's updates apparently so. Both of the advisories on Microsoft's site have the same title Microsoft Windows Codex Library Remote Code Execution. Vulnerability that's for for fourteen, twenty, five, fourteen, fifty, seven, and the disclosures are almost identical. But of course at this point, our listeners are low longer surprised to learn of a fatal flaw in a media Kodak as we know Codex. Are Complex interpreters. Of a compressing encoders Meta data. it's truly difficult to make a Kodak both screamingly fast as they need to be, and also careful at the same time, being super careful means checking everything and checking everything takes precious time when a Kodak is by its nature, often racing the clock. So, what made these? Stand out aside from the fact that they were once again patches for an out of cycle, critical, remote code. Execution Vulnerability and the second one is an information disclosure. Was the fact that Microsoft indicated that the updates would not. Be available through windows update north through windows update catalog. No these updates would be provided through. The Microsoft store. And as well as like what? Users are instructed to click on the little white shopping bag. On the windows, ten task bar and I'll note that none of my windows. Ten task bars have little white shopping bags. But that's another story. Then you select more downloads updates and then get updates. In their disclosure. Microsoft wrote a remote code execution. Vulnerability exists in the way that Microsoft Windows. Library handles objects in memory. Okay, no surprise there. An attacker who successfully exploited the vulnerability could execute Arbor Schroeder. Code Right? And the other one a slight variation, same boilerplate, an attack who successfully exploited the second vulnerability could obtain information to further compromise the user system. And in either case they say the exploitation of the vulnerability requires a program process a specially crafted image file right so it's the evil image, which is what you'd expect a Kodak to Barf on. The update addresses the vulnerability by correcting how Microsoft Windows Codex Library handles objects in memory. Then, they wrote. Affected users will be automatically updated box Microsoft store. And according to Microsoft's users who want to receive the update immediately can check for updates with the Microsoft store APP. That's the clicking on the little white. Bag that I talked about before. And I was thinking about this. I suppose it makes sense for store APPs and extensions that are sourced by the store. Even when they are provided by Microsoft to be updated through the channel that the user. Used for their original delivery, and that's especially the case for third party. APPs being updated mean. Microsoft would not want to be hosting updates. Of Third Party APPS through their own operating system and APP update channels to the windows update and the update catalog. So the store it is. Both updates were privately reported and are not known to be used in the wild, so it's not clear to me why the emergency but the fact that it was on the thirtieth, which was a Tuesday as I right? Yeah, it was a Tuesday. maybe that was a deliberate like store patch Tuesday new thing that is going to be happening. The problems exist in. Excuse me. The H., E. V. C. video extensions and they're not free, surprisingly ninety nine cents if you want that from the Microsoft store. Maybe a You'll you'll get them. As part of an of another package provided there, there's like actually two different instances of H. E. C. on the store once for ninety nine cents and one says it's provided by other software. The FCC extension apparently not very popular read only two and a half out of five stars and Microsoft's description says play high efficiency Video Kodak. That's what HIV stands for. In any video, APP, on your windows, ten device, these extensions they say are designed to take advantage of hardware capabilities on some newer devices, including those with these Intel seventh generation, core, processor, and newer GPU to support four K and ultra HD content. They said for devices that don't have hardware support for H. E. V. C. so a software Kodak to enhance what you have on your system. and. This was sort of a new designation for me. And actually. We've already gone to the to the Kodak beyond this, but wikipedia explains the HEC. This high efficiency video coding is also known as H. Dot, two, six, five, and also MPC age part two video compression standard designed as part of the M Peg h project as a successor to the widely used ABC. which is what everybody is now using that's H. Dot, two six four, which is MP for ten, so and and wikipedia finished in comparison to ABC H.. E. V. C. offers from twenty five to fifty percent, better data compression, the same level of video quality, giving it substantially improved the equality at the same bit rate. Okay so. if you're curious to know, and it turns out, you may need to be curious whether your system or any system might have the H.. Video! Extensions installed. And, if so, which version you, there is a power. Shell Command the which will tell you, so you'd open power shell. Probably do it with Admin because why not and then it's I, have I have the command in the show notes if you're interested, but it's get high hyphen APP x Package Space Dash Name Space Microsoft Dot H.. E. V. C. video extension. When I entered that into my win ten machine. I got nothing. It was just blank in return, but the repaired versions of the HVAC extensions one point zero point. Three one, eight, two, two dot, zero or three, one, eight, two three dot zero. and so since I don't have a my power shell just exited returning nothing. Some commentators have observed that this new. Store Windows store channel for releasing critical updates outside of the normal window security update distribution channels. Though I noted I could see why it happened. It made sense is understandable, can cause trouble in enterprise settings where certain windows features and windows store. Probably. I would imagine the store more than anything else may have been deliberately disabled by enterprise policies, and for such companies who have purposely disabled, the Microsoft store and the Microsoft store automatic up up. Up Updates. Those vulnerable computers will not receive fixes without the removal of that policy and in Fact Computer World's Industry Fixture Woody Leonard. Over in his ask, woody column was far less patient with this and much less understanding that I was about. Like I could understand why that was the windows store. One of the replies to his posting noted that this optional hec Kodak exists by default in Windows clients. Editions since eighteen o nine, except the N. and the lts's editions I do have the Lt Tse. The Long Term Servicing Channel so that explains why my power shall query came a blank. But assuming that's the case. it would be probable then that any normal windows eight, hundred, zero, nine, nine, hundred, zero, three, nine, hundred, Ninety, nine and twenty, four would have the vulnerable Kodak installed. Yet presumably be unable to get it updated if the user or an enterprise had determined that they had no interest in the windows store, and had consequently removed and or disabled, it It's exactly the same as if we could uninstall windows update, which, of course we can't because we need. We need windows updates so. It'll be interesting to see if like what happens with this Woody wound up his post by writing quote. The distribution method is riddled with all sorts of obvious holes. He said I mean anybody with any sort of updating. Experience should have been able to compile a list of half a dozen ways that this could go wrong. And he finished yet another unholy mess, and actually he also he used some of the content in his kgab computer world. Call him where he just really raked windows Microsoft for the debacle of the June windows update with all the printer issue. Basically all the things we've talked about and touched on, but ooh being much less. Forgiving, either even than I am

Coming up next