Warnings of a vulnerability in the Windows HEVC video codec originate from the U.S. Department of Homeland Security, which published a notice urging Windows users to update their systems.
How to Use Windows 10New MacBooks with ARM chips could debut in just weeksBest 2-in-1 laptops in 2020
“Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code,” wrote the Cybersecurity and Infrastructure Security Agency. “An attacker could exploit these vulnerabilities to take control of an affected system.” Only systems with the optional HEVC media codecs (found in the Microsoft Store (opens in new tab)) or Microsoft’s Visual Studio software-development program installed are vulnerable to the flaw. The HEVC, or High-Efficiency Video Coding, extensions found in the Microsoft Store allow you to play specially compressed videos, including 4K Blu-ray discs and videos shot on newer iPhone models.
Windows 10 vulnerability: How it works
As Microsoft explains in its security advisory (opens in new tab), the first of two HEVC flaws relate to how the Microsoft Windows Codecs Library handles objects in memory. The vulnerability can be remotely exploited using “a specially crafted image file.” The second flaw, found in the Visual Studio Code, can be exploited when a malicious actor tricks users into opening a “package.json” file. Once access to a system is gained, attackers can run “arbitrary code” and take control of the laptop or PC if the victim is logged in as an admin. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft wrote. Neither flaw has been used in the wild, Microsoft claims.
Windows 10 flaw: What to do
The HEVC extensions app in the Microsoft Store should update automatically to a safer version, otherwise, we recommend manually updating it in the store as soon as possible. To check whether your HEVC extensions are up-to-date, go to Settings, Apps & Features and select HEVC, Advanced Options. Here, you’ll see different versions of the app — make sure you’re on 1.0.32762.0, 1.0.32763.0, or later. Alternatively, you can launch PowerShell and type in the following command to see your version number: Get-AppxPackage -Name Microsoft.HEVCVideoExtension* Visual Studio should also be updated manually to the latest version. You can find a download link on Microsoft’s advisory page (opens in new tab). H/T Tom’s Guide
