The U.S. Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA) is no stranger to recommending that Windows users apply security updates as a matter of some urgency. Exactly one month ago to the day, on September 18, it released a rare Emergency Directive compelling federal agency Windows Server users to update one such update within three days. This time around there is no such requirement to comply, nor is there any evidence of the threat in question being exploited in the wild. But when CISA says an attacker could use this new vulnerability to take control of an affected Windows 10 system and encourages users to apply the emergency update, you’d be advised to pay attention nonetheless.
What is CVE-2020-17022?
No sooner had the monthly Patch Tuesday rollout of security fixes, which covered 87 vulnerabilities of which 11 were deemed critical, come and gone than Microsoft confirmed two more out-of-band security updates on Thursday, October 15. Although rated “important” rather than critical by Microsoft, both could enable an attacker to take control of your Windows system by way of a remote code execution exploit. One, CVE-2020-17023, is a vulnerability in the Visual Studio Code editor. It’s the other, CVE-2020-17022, that I’m more concerned about, truth be told.
CVE-2020-17022 concerns a remote code execution vulnerability in the Microsoft Windows Codecs Library, specifically how it handles objects in memory. While Microsoft has been clear that this vulnerability does not impact those Windows 10 devices that remain in a default configuration, anyone who has installed the optional High-Efficiency Video Coding (HEVC) video codecs could be vulnerable. What’s more, all versions of Windows 10 from 1709 onwards are affected, and no mitigating workarounds have been identified. It’s update or remain vulnerable, as simple as that and hence the CISA advisory.
Microsoft has stated that “customers who have installed the optional HEVC or ‘HEVC from Device Manufacturer’ media codecs from Microsoft Store may be vulnerable,” and that exploitation requires the processing of a specially crafted malicious image file. However, if such a file is downloaded and processed by an application, the attacker could execute arbitrary code remotely.
This is a big deal.
“Remote Code Execution vulnerabilities provide an attacker with initial access to a system without any user action,” Chris Hass, director of information security and research at Automox, says. “Unlike a malicious attachment in a phishing email, or trojan horse that you downloaded when trying to install a Minecraft mod,” Hass continues, “all the attacker needs to do is find an unpatched system, send the exploit and wait for the vulnerable system to give them access.”
Applying the emergency fix for Windows 10 users
However, the fix for this vulnerability doesn’t come by way of the usual Windows Update process, as you might expect. Instead, it’s served up automatically by the Microsoft Store. Assuming, that is, users have Microsoft Store app updates configured to update automatically. I would advise you to check your Microsoft Store settings to ensure that they are; that way, you’ll get the protection you require.
To check that the HVEC security updates have been installed, Microsoft states that users can use ‘Settings, Apps & Features’ and then select ‘HVEC, Advanced Options.’ If the version shown is 1.0.32762.0 or 1.0.32763.0, and later, then your system is secured. If you have never installed one of the optional HVEC codecs, then you are not affected to begin with. You can also hit the “Get updates for Microsoft Store” button from this Microsoft support page to reveal all apps that have available updates.
I have reached out to Microsoft for any further information about this vulnerability and will update the article should any be forthcoming.