Microsoft identified a critical vulnerability and closed it via the Microsoft Store
I have already addressed the question of the correct handling of the Microsoft Store several times, for example in the article “Windows 10 and the Microsoft Store“. Now it is all more important that the IT departments deal with the topic again.
The Microsoft Store problem
Many companies deactivate the Windows Store sometimes inappropriately. The reasons for deactivation are mostly attempts to prevent the installation of games or unwanted applications. This is not wrong, but it should be done correctly. Wrong ways are, for example:
- Uninstalling the Store application (Not supported by Microsoft!)
- Delete the files of the Store application (Not supported by Microsoft!)
- Blocking the application with App-locker or similar tools
- Blocking applications with an anti-virus solution
- Turning off the store in Computer Group Policy
The security vulnerabilities
The vulnerability is in the Windows Codec libraries and affects Windows 10, a notice that Windows Server is affected would be removed. The vulnerabilities are listed at Microsoft under “CVE-2020-1425 Microsoft Windows Codecs Library Remote Code Execution Vulnerability” and “CVE-2020-1457 Microsoft Windows Codecs Library Remote Code Execution Vulnerability“.
The applications that are including the updates
- HEIF image extensions
- HEVC Video Extensions
- HEVC video enhancements from the device manufacturer
If you think the store was never active and therefore no problem, you could be wrong. Especially the HEVC video extension from the device manufacturer could have been included in the image. In general, it is not impossible that in the future further security gaps will be closed in this manner.
At the latest now is the time to configure the Microsoft Store correctly in the organization. I have described the individual possibilities and the following for the users including screenshots and the necessary group policies in the article “Windows 10 and the Microsoft Store“.
This article first appeared on Infrastrukturhelden.de in German.