Microsoft has published unscheduled fixes for two critical vulnerabilities that make it possible for attackers to execute malicious code on computers running any version of Windows 10.
Unlike the vast majority of Windows patches, the ones released on Tuesday were delivered through the Microsoft Store. The normal channel for operating System security fixes is Windows Update. Advisories here and here said users need not take any action to automatically receive and install the fixes.
“Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update,” both advisories said. “Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.”
When I checked both the Microsoft Store and the Windows Update on my Windows 10 laptop, however, I saw no confirmation that the patch had been installed. Normally, Windows 10 users can use the Windows Update tab within the Update and Security settings section to ensure patches have been installed. The link provided in the advisories offered no clarity. Microsoft representatives didn’t immediately respond to questions for clarification.
In a message received after this post went live, the person who discovered the vulnerabilities, Abdul-Aziz Hariri of Trend Micro’s Zero Day Initiative, confirmed theories several Ars readers have made in comments. They posited that that the update involved HEVC codecs, which are used in a Windows extension available from the Microsoft Store.
“The library affected is hevcdecoder_store.dll,” the researcher wrote. “That library is responsible for parsing HEIC images with HEVC codec. That library (extension) is available through the Windows Store. And since it’s a media codec downloaded from the Windows Store, I assume MS updated it through the Windows Store and not the Windows Update.”
Also, since this post went live, I managed to manually install the update by opening Microsoft Store, clicking the three dots at the top right, choosing Downloads and updates and pressing the blue Get updates button in the top right. My Microsoft Store settings are configured to receive app updates automatically, so it’s not clear why Microsoft’s advisory says users need not take any action to receive the update.
Both vulnerabilities reside in Windows code libraries that manage codecs used to render images or other multimedia content. Attackers can exploit the flaws to execute code of their choice or to obtain information stored on vulnerable systems. Exploits can be delivered in specially designed image files that corrupt computer memory. Presumably, the images could be delivered on compromised websites a target visits or when targets open a malicious file sent by email. Tuesday’s advisories didn’t say if exploits worked only when targets opened the malformed images in specific apps or any app.
Microsoft credited Abdul-Aziz Hariri of Trend Micro’s Zero Day Initiative with discovering and privately reporting the bugs. Both advisories indicate that there’s no evidence of the flaw being actively exploited in the wild. With no clear way to verify the patches have been installed, Windows 10 users for now will have to take Microsoft’s word that they’re automatically installed. This post will be updated if Microsoft responds to our questions.
Post updated to add newly available details in the fifth, sixth and seventh paragraphs.