[German]On June 30, 2020, Microsoft had rolled out emergency updates for vulnerabilities CVE-2020-1425 and CVE-2020-1457 in the Windows Codecs Library. Today I post an addendum, as there are still numerous inconsistencies in this process. Addendum: And we have install issues.
What are CVE-2020-1425 and CVE-2020-1457?
CVE-2020-1457 and CVE-2020-1425 are vulnerabilities in the Windows Codecs Library. Using manipulated image files, attackers could launch remote code execution (RCE) attacks and, if the vulnerabilities are successfully exploited, could extract information or compromise the user’s systems.
Although no attacks have been reported to date, Microsoft decided to provide out-of-band updates at the end of June 2020 to close the vulnerabilities. The out-of-band updates will be available from Windows 10 version 1709 onwards up to Windows 10 version 2004 and up to Windows Server 2019.
In the support articles it was stated that affected customers would be automatically provided with the necessary updates for the Windows Codecs Library via the Microsoft Store. Users would not need to take any action to obtain the update. Alternatively, customers who want to receive the update immediately can use the Microsoft Store App to check for updates.
Days of Chaos in Redmond?
I had the details prepared in the blog post Windows 10: Critical codec vulnerabilities patched. In the post you can find the sentence:
The problem with the whole approach: There is no information which updates are needed. And it’s also stupid, that the updates are shipped via store.
Some comments on the article and on the web were surprised about the distribution via store. And on July 2, 2020, the mail from blog reader André E. arrived with the following content:
Hello Mr. Born,
I’m sure you’ve read the news on Golem…
That Microsoft now distributes security updates through the store is unbelievable.
We have deactivated the store and we want to keep it that way.
Can you possibly get more information there? Will the patch also be made available via WSUS or Windows Update?
Would surely be a topic for your site.
Well, Microsoft produce tons of buzzing marketing texts every day. But no one felt the need to reveal why they were distributing security updates through the store, leaving out Windows Update and managed environments through WSUS. It hasn’t clear to me, which packages from the store are now closing the vulnerabilities. I had two entries, HEIF image extensions and HEVC video extensions, listed as affected packages – but I didn’t know which version the vulnerabilities are fixed from (currently it seems that MS has added some details, see below). Three to four clear sentences could have answered these questions.
Microsoft amended the documentation
In the meantime, however, the men at Microsoft seem to have come to their senses – or there was a fire from customers – and are now updating the documentation.
Microsoft updated the advisories to say that only systems where optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store were installed are vulnerable.
Windows Server systems are not vulnerable since HEVC is not supported on this platform. pic.twitter.com/l3ofOl5jVf
— BleepingComputer (@BleepinComputer) July 2, 2020
The colleagues from Bleeping Computer noticed this and they documented the whole thing on Twitter in the above message. This can be found in the FAQ (e.g. at CVE-2020-1425) below the list of affected Windows 10 versions.
Is Windows vulnerable in the default configuration?
No. Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.
It should therefore only affect systems on which the optional HEVC codec pack has been installed. The FAQ also tells you that HEVC is not available for offline distribution and is not supported on Windows Server. In the CVE articles linked above, the respective patched build number is also mentioned and you can find a PowerShell command to determine the version of the installed codecs – e.g.
Get-AppxPackage -Name Microsoft.HEVCVideoExtension
Microsoft also writes that security updates can be delivered at any time at the store, as it is not bound to the patch cycles of Windows Update.
Is this the truth?
It must be acknowledged that the people from Microsoft have provided at least some additional information. But it shows how broken the approach is to distribute security updates via Windows Update, sometimes via the store, and then not communicating in a crystal clear way what is going on, why this is happening, and what details administrators need to know. Since 2015, we have been hearing from Microsoft again and again like a prayer wheel that they want to become better and more transparent, and that customers should blindly trust the monopolist, who is currently losing many things. But it gets more worse.
June patches run quite the gamut, with three completely different delivery mechanisms for fixes to bugs introduced on Patch Tuesday. @abbodi86 says that the vulnerable HEVC drivers are on *every* machine, not just the ones that installed optional drivers. https://t.co/4qUF4KGq7X
— Woody Leonhard (@AskWoody) July 2, 2020
That night I came across the above tweet from Woody Leonhard, who took up the topic in his Computer World article. On the patchmanagement.org mailing list Mailing-Liste the same questions are raised that blog reader André asked above. User Abbodi86, who sometimes digs very deep inside Windows and updates, shares his findings here:
The first Q is not accurate
the optional HEVC extension exists by default in Windows Client
editions since v1809, except N and LTSC editions
His statement: The first answer in the Microsoft FAQ is already wrong. The ‘optional’ HEVC extension is installed by default on every Windows 10 client since version 1809. Only the LTSC SKUs and the N editions of Windows 10 do not have this codec library. At this point, the chaos is perfect – no idea if Microsoft’s position that only roll out by store on affected systems and that the HEVC extensions are not on the systems is correct. But admins are standing in the rain from then on at the latest – or what do you think?
Update installation may fail
Addendum: There are cases where the update installation unfortunately fails with the error ‘Access denied’ without being reported.
⚠ Houston we have a(nother) problem ⚠
CVE-2020-1425 / CVE-2020-1457 might (silently) fail with “access denied”. Not all store apps though. see screen@sudhagart @WindowsUpdate @rWinSec
Given the #secflaw this is critical
feedback https://t.co/OYctLjLtoe pic.twitter.com/nzKqAhq5hD
— al Qamar (Karl Wester-Ebbinghaus) Ⓥ (@tweet_alqamar) July 4, 2020
Blog reader Karl points out in the above tweet, that the update installation of the patches for CVE-2020-1425 and CVE-2020-1457 could (silently) fail with “access denied”. However, not for all store apps – details can be found in the Feedback Hub at the link provided.