Microsoft closes vulnerability CVE-2020-17022 in HEVC codec library (10/15/2020)

[German]Microsoft has released a patch to close the RCE vulnerability CVE-2020-17022 in the Windows Codecs Library on October 15, 2020. Because there was some confusion (the vulnerability only affects some Windows 10 users with HVCE codecs) and the patch is coming via the store, I'm pulling this out in a separate blog post.


A warning from German BSI

I have seen it in a comment within my German blog and in a Facebook post: German Federal Office for Information Security (BSI) has issued a warning that could cause uncertainty. Here is the translated text:

"[Cert Warning] TW-T20-0179 – Microsoft Windows 10: Vulnerability allows execution of arbitrary code with user privileges

Type of message: Safety note
Risk level 3
Microsoft Windows 10: Vulnerability allows execution of arbitrary code with
User rights

Affected systems:
Microsoft Windows 10
The BürgerCERT recommends the prompt installation of the
Security updates to close the vulnerabilities.

The BSI has also linked the security advisor CVE-2020-17022 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability dated October 15. In this comment the person concerned notes that he cannot find any information on the Microsoft site – and there is no update via Windows Update.

This is what is behind CVE-2020-17022

CVE-2020-17022 is a remote code execution (RCE) vulnerability in a Microsoft Windows Codecs Library used in Windows 10. The problem is the management of objects in memory by the Microsoft Windows Codecs Library, which can be exploited to execute code. An attacker could simply send a specially crafted image file (e.g. via email or a web page) to the victim to exploit the vulnerability. He can then execute arbitrary code.

Don't count on Windows Update

The vulnerability is managed at a high risk level due to remote code execution. Microsoft has also released appropriate security updates for Windows 10. The BSI recommends to patch – but the Microsoft security page CVE-2020-17022 does not contain any links to download an update. Nothing can be downloaded via Windows Update either. .

Only relevant for certain users

Let's get to the but – because the topic or the update is only relevant for Windows 10 users who have installed the optional media codecs HEVC or "HEVC from the device manufacturer" from the Microsoft Store. Affected users may be at risk, but will get the update automatically from the Microsoft Store. Users do not need to take any action to receive the update. Alternatively, if you want to be sure that you have received the update, you can check for updates using the Microsoft Store App.


Maybe this will help one or the other user – my phone rang immediately when I read the above comment because I had already read Woody Leonhard's note on Thursday.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

2 Responses to Microsoft closes vulnerability CVE-2020-17022 in HEVC codec library (10/15/2020)

  1. matt says:

    Your link failed, as it contains a quote (") at the end – which leads to a fail, for loading the page.

Leave a Reply

Your email address will not be published.