The US Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) is no stranger to urging Windows users to apply security updates urgently. Exactly one month ago to the day, on September 18, it released a rare emergency directive requiring users of the federal Windows Server agency to update one of these updates within three days. This time around, there is no such requirement to comply, nor any evidence of exploitation of the threat in question in the wild. But when CISA says that an attacker could use this new vulnerability to take control of an affected Windows 10 system and encourage users to apply the emergency update, you are advised to be careful nonetheless.
What is CVE-2020-17022?
Barely did the monthly Patch Tuesday security patch rollout, which covered 87 vulnerabilities, 11 of which were deemed critical, come and go when Microsoft confirmed two more out-of-band security updates on Thursday, October 15. As critical by Microsoft, both could allow an attacker to take control of your Windows system through a remote code execution exploit. One, CVE-2020-17023, is a vulnerability in the Visual Studio code editor. It’s the other one, CVE-2020-17022, that concerns me the most, actually.
CVE-2020-17022 addresses a remote code execution vulnerability in the Microsoft Windows Codec Library, specifically the way it handles objects in memory. Although Microsoft has made it clear that this vulnerability does not affect Windows 10 devices that remain in a default configuration, anyone who has installed the optional High-Efficiency Video Coding (HEVC) video codecs could be vulnerable. Additionally, all versions of Windows 10 from 1709 are affected and no workarounds have been identified. It’s an update or stay vulnerable, that simple and therefore the CISA notice.
Microsoft has stated that “customers who have installed the optional HEVC or ‘device manufacturer’s HEVC’ media codecs from the Microsoft Store may be vulnerable” and that exploitation requires processing of a specially crafted malicious image file . However, if such a file is downloaded and processed by an application, the attacker could execute arbitrary code remotely.
This is a big deal.
“Remote code execution vulnerabilities provide an attacker with initial access to a system without any user action,” said Chris Hass, director of information security and research at Automox. “Unlike a malicious attachment in a phishing email, or a Trojan that you downloaded while trying to install a Minecraft mod,” Hass continues, “all the attacker needs to do is find an unpatched system, send the exploit and wait for the vulnerable system. to give them access. ”
Applying the emergency fix for Windows 10 users
However, the fix for this vulnerability does not come from the usual Windows update process, as you would expect. Instead, it’s served automatically by the Microsoft Store. Assuming users have configured Microsoft Store app updates to update automatically. I recommend that you check your Microsoft Store settings to make sure they are; this way you will get the protection you need.
To verify that HVEC security updates have been installed, Microsoft states that users can use “Settings, Apps, and Features” and then select “HVEC, Advanced Options”. If the version displayed is 1.0.32762.0 or 1.0.32763.0 and later, your system is secure. If you have never installed any of the optional HVEC codecs, you are not initially affected. You can also click the “Get Updates for Microsoft Store” button on this Microsoft support page to reveal any apps that have updates available.
I have contacted Microsoft for more information about this vulnerability and will update the article if necessary.