Microsoft identified a critical vulnerability and closed it via the Microsoft Store

I have already addressed the question of the correct handling of the Microsoft Store several times, for example in the article “Windows 10 and the Microsoft Store“. Now it is all more important that the IT departments deal with the topic again.

The Microsoft Store problem

Many companies deactivate the Windows Store sometimes inappropriately. The reasons for deactivation are mostly attempts to prevent the installation of games or unwanted applications. This is not wrong, but it should be done correctly. Wrong ways are, for example:

Advertisements
  • Uninstalling the Store application (Not supported by Microsoft!)
  • Delete the files of the Store application (Not supported by Microsoft!)
  • Blocking the application with App-locker or similar tools
  • Blocking applications with an anti-virus solution
  • Turning off the store in Computer Group Policy

The security vulnerabilities

The vulnerability is in the Windows Codec libraries and affects Windows 10, a notice that Windows Server is affected would be removed. The vulnerabilities are listed at Microsoft under “CVE-2020-1425 Microsoft Windows Codecs Library Remote Code Execution Vulnerability” and “CVE-2020-1457 Microsoft Windows Codecs Library Remote Code Execution Vulnerability“.

Screenshot Store App

The applications that are including the updates

  • HEIF image extensions
  • HEVC Video Extensions
  • HEVC video enhancements from the device manufacturer

If you think the store was never active and therefore no problem, you could be wrong. Especially the HEVC video extension from the device manufacturer could have been included in the image. In general, it is not impossible that in the future further security gaps will be closed in this manner.

Advertisements

Conclusion

At the latest now is the time to configure the Microsoft Store correctly in the organization. I have described the individual possibilities and the following for the users including screenshots and the necessary group policies in the article “Windows 10 and the Microsoft Store“.

This article first appeared on Infrastrukturhelden.de in German.

This article is a translation of the Infrastrukturhelden.de article “Microsoft entdeckt eine kritische Lücke und schleißt die über den Microsoft Store” (Published – 2020-07-02). Links may refer to other Infrastrukturhelden.de articles, these may also be available in English language.

Also it can be, that I still use screenshots of German systems. However, where it is possible for me with little effort, I insert screenshots of English systems.

Advertisements

Author: Fabian Niesen

Fabian Niesen has been working as an IT consultant for years. Here he writes privately and independently of his employer. Among others he is certified as MCSA Windows Server 2008 / 2012, MCSA Office 365, MCSA Windows 10, MCSE Messaging, MCT and Novell Certified Linux Administrator. Since 2016 he is also MCT Regional Lead for Germany. His hobbies are social media, blogging, medieval markets, historical songs and house building.

Leave a Reply

Your email address will not be published. Required fields are marked *