Windows 10 critical flaw: US government issues warning of remote attack

(Image credit: Laptop Mag)

Windows 10 users, especially those who own iPhones, should visit the Windows Store and ensure they have the latest HEVC video codec version. Doing so could protect their PC from being remotely hacked.

Warnings of a vulnerability in the Windows HEVC video codec originate from the U.S. Department of Homeland Security, which published a notice urging Windows users to update their systems.

How to Use Windows 10
New MacBooks with ARM chips could debut in just weeks
Best 2-in-1 laptops in 2020

"Microsoft has released security updates to address remote code execution vulnerabilities affecting Windows Codecs Library and Visual Studio Code," wrote the Cybersecurity and Infrastructure Security Agency. "An attacker could exploit these vulnerabilities to take control of an affected system."

Only systems with the optional HEVC media codecs (found in the Microsoft Store) or Microsoft's Visual Studio software-development program installed are vulnerable to the flaw.

The HEVC, or High-Efficiency Video Coding, extensions found in the Microsoft Store allow you to play specially compressed videos, including 4K Blu-ray discs and videos shot on newer iPhone models.

Windows 10 vulnerability: How it works

As Microsoft explains in its security advisory, the first of two HEVC flaws relate to how the Microsoft Windows Codecs Library handles objects in memory. The vulnerability can be remotely exploited using "a specially crafted image file."

The second flaw, found in the Visual Studio Code, can be exploited when a malicious actor tricks users into opening a "package.json" file. Once access to a system is gained, attackers can run "arbitrary code" and take control of the laptop or PC if the victim is logged in as an admin.

"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft wrote.

Neither flaw has been used in the wild, Microsoft claims.

Windows 10 flaw: What to do

The HEVC extensions app in the Microsoft Store should update automatically to a safer version, otherwise, we recommend manually updating it in the store as soon as possible.

To check whether your HEVC extensions are up-to-date, go to Settings, Apps & Features and select HEVC, Advanced Options. Here, you'll see different versions of the app — make sure you're on 1.0.32762.0, 1.0.32763.0, or later.

Alternatively, you can launch PowerShell and type in the following command to see your version number: Get-AppxPackage -Name Microsoft.HEVCVideoExtension*

Visual Studio should also be updated manually to the latest version. You can find a download link on Microsoft's advisory page.

H/T Tom's Guide

Phillip Tracy is the assistant managing editor at Laptop Mag where he reviews laptops, phones and other gadgets while covering the latest industry news. After graduating with a journalism degree from the University of Texas at Austin, Phillip became a tech reporter at the Daily Dot. There, he wrote reviews for a range of gadgets and covered everything from social media trends to cybersecurity. Prior to that, he wrote for RCR Wireless News covering 5G and IoT. When he's not tinkering with devices, you can find Phillip playing video games, reading, traveling or watching soccer.