Another HEVC codec bug fixed via the Microsoft Store – plus a couple of updates on this month’s mayhem

[Karlston]

Another HEVC codec bug fixed via the Microsoft Store – plus a couple of updates on this month’s mayhem

 

Back in July I wrote about two weird Microsoft Store patches for a couple of security holes in the HEVC codecs, which are programs that Microsoft created to let you play Apple HEVC files. (Protip: You probably don’t have them, unless you’ve installed codecs from the Store.)

 

Now comes word that we have another identified security hole in that same HEVC codecs, CVE-2020-17022

 

This warning isn’t for everybody. Per MS,

Only customers who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store may be vulnerable.

So unless you’ve specifically downloaded the Microsoft codec, you don’t need to worry about it – but be aware that this one is also coming through Windows Update the Microsoft Store. There’s a lengthy discussion of versions in the KB article.

 

The announcement also says that CVE-2020-17022 is a security hole in Remote Desktop Services, but it isn’t. Be calm, grasshopper.

 

There’s also a bug for Visual Studio programmers, CVE-2020-17023, which involves opening a nasty package.json file. If you’re using Visual Studio, watch out.

 

Finally, we have CVE-2020-16943, which was just updated (the original notice was released on Patch Tuesday). The problem? This security hole is in Microsoft Dynamics 365 Commerce. Microsoft posted about the fix on Patch Tuesday and then decided, two days later, to tell people that it doesn’t yet have a fix:

The security update for Dynamics 365 Commerce is not immediately available. The update will be released as soon as possible, and when it becomes available, customers will be notified via a revision to this CVE information.

Golly.

 

 

Another HEVC codec bug fixed via the Microsoft Store – plus a couple of updates on this month’s mayhem