Windows 10 security patches are causing all sorts of problems – and people aren’t happy

  • Hi there and welcome to PC Help Forum (PCHF), a more effective way to get the Tech Support you need!
    We have Experts in all areas of Tech, including Malware Removal, Crash Fixing and BSOD's , Microsoft Windows, Computer DIY and PC Hardware, Networking, Gaming, Tablets and iPads, General and Specific Software Support and so much more.

    Why not Click Here To Sign Up and start enjoying great FREE Tech Support.

    This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Welcome to our Community
Wanting to join the rest of our members? Feel free to sign up today.
Sign up

PCHF IT Feeds

PCHF Tech News
PCHF Bot
Jan 10, 2015
52,091
26
pchelpforum.net
Usesr have been left puzzled after Windows 10 received a couple of important security fixes for some major flaws in Windows media codecs.

However rather than the typically used channel of Windows Update, Microsoft pushed out these updates via the Microsoft Store – confusing a lot of users in the process.

In fact, there’s been a lot of head-scratching around both these fixes for serious problems related to the codecs, which were released out-of-band (meaning not on Microsoft’s typical monthly security patch schedule).


The vulnerabilities are CVE-2020-1425 and CVE-2020-1457 as Ask Woody highlights, and they potentially allow an attacker to “obtain information to further compromise the user’s system”, or execute arbitrary code, respectively.

They can be exploited via a “specially crafted image file”, and as Microsoft notes, these updates remedy the situation by correcting how the Windows Codecs Library handles objects in memory.

As Ask Woody reports, the appearance of these security fixes worried some folks who were wondering exactly why the patches were only offered to Windows 10 clients via the Microsoft Store, rather than using Windows Update as mentioned.

Microsoft’s answer is that the affected HEVC codec package is an optional component which can be downloaded from the Microsoft Store (or grabbed by an app which requires it).

In other words, it isn’t included with Windows 10 by default, hence Microsoft not using Windows Update for distribution.

Windows 10 confusion


There has been a fair bit of confusion, though, because the HEIC images – the exploitation path, as mentioned, is via one such specially crafted image file – do seem to be present on Windows 10 systems, and it’s not clear if that might be problematic in itself.

Presumably not, given Microsoft’s stance here, but Bleeping Computer which also reported on this issue asked Zero Day Initiative researcher Abdul-Aziz Hariri – who found these vulnerabilities – whether the HEIC images could be a security hole in themselves, and Hariri said that he “was not sure if they were patched as well”.

So, you can see how the bewilderment and worry is coming in here, and this is compounded by another problem – namely that some users may not receive the update automatically via the Microsoft Store as they should do, because the organization they’re employed by has disabled the store (or at least automatic updates from the store).

Furthermore, on top of that, some of those who are installing the patch from the Microsoft Store are witnessing it fail with an ‘access denied’ error.

⚠ Houston we have a(nother) problem ⚠CVE-2020-1425 / CVE-2020-1457 might (silently) fail with "access denied". Not all store apps though. see screen@sudhagart @WindowsUpdate @rWinSec Given the #secflaw this is criticalfeedback https://t.co/OYctLjLtoe pic.twitter.com/nzKqAhq5hDJuly 4, 2020

All in all, then, Microsoft’s resolution of this particular pair of vulnerabilities seems to have got pretty messy and unsatisfactory.


Continue reading...