Windows 10 released Microsoft Store Codes patches
Microsoft released security updates last week’s through Microsoft Store and it’s confuse many users who want to make sure that their system has been protected. They are almost always released via Windows Update or by standalone updates that can be downloaded from the Microsoft Catalog.
On June 30th, Microsoft released two out-of-band security updates for remote code execution vulnerabilities in the Windows Codecs Library. They stated that they affected both Windows 10 and Windows Server at the time. Instead of delivering these security updates via Windows Update, Microsoft is rolling them out via auto-updates on the Microsoft Store.
Vulnerabilities in the HEVC Videos Extensions
On July 1 Microsoft updated the advisories to include FAQ which states that Windows server was not affected and that the vulnerabilities are in HEVC Videos Extensions. This package is available from the Microsoft Store named “HEVC Videos Extensions” or “HEVC Videos Extensions from Device Manufacturer”.
Microsoft says that these are optional packages and only those people who have installed would receive the update. The FAQs also mention that fixed versions of such extension is 1.0.31822.0, 1.0.31823.0 and that follow PowerShell Command that can be used to check installed version.
“The vulns are in the hevcdecoder_store.dll extension (HEVC codec package). This extension is not installed by default. The bugs in this codec are triggered through HEIC images (HEIFextension package. which is installed by default). The HEVC package can be installed in multiple ways.”
Hariri told that, “As far as I know, the user installs them manually through the store or accepting them to be installed from media applications like photos etc.”
Organizations have Microsoft Store disabled
By going through other distribution channels for Windows security update it makes difficult for enterprises that have purposely disabled certain Windows features.
Thus, for those companies who have disabled Microsoft Store the vulnerable computers will not be able to receive the fixes without removing this policy.
A BornCity.com reader explained that: “We have deactivated the store and we want to keep it that way.”
To add insult to injury, AskWoody has reported that some users are having problems installing the updates through Microsoft Store. In order to do so, they receive “access denied” errors.
Thus, the lack of initial information and use of Microsoft Store to distribute security updates this release of security updates has been confusing from the very beginning.