A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of the vulnerability requires that a program process a specially crafted image file. The update addresses the vulnerability by correcting how Microsoft Windows Codecs Library handles objects in memory.
How does a user know if the update has been installed? You can check the version of the installed package. For example, click on Settings, Apps & Features and select AV1 Video Extension, Advanced Options. You will see the version there. The secure versions are 1.1.31753.0 and later. Is Windows vulnerable in the default configuration? Only customers who have installed the optional "AV1 Video Extension" media codec from Microsoft Store may be vulnerable. How do I get the updated Windows Media Codec? Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update. Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here. Why are these security updates offered to affected clients via the Microsoft Store and not Windows Update? These updates are for optional apps/components that are offered to customers as a download via the Microsoft Store. Updates for optional store apps/components are provided via the Microsoft Store. My server is in a disconnected environment, is it vulnerable? AV1 is not available for offline distribution and not supported on Windows Server. Users should not have it installed in these environments. Enterprise customers using Store for Business will receive the update in the same manner as consumer Store. Why are these updates being offered outside of Update Tuesday? Servicing for store apps/components does not follow the monthly “Update Tuesday” cadence, but are offered whenever necessary. Are these updates for Microsoft store apps/components offered automatically when an affected component is on the system? Yes. However, it is possible to turn off automatic updating for store apps. In that scenario, these updates would not be installed automatically. How can I check from PowerShell if the update is installed? The following command will display the vers
Abdul-Aziz Hariri of Trend Micro Zero Day Initiative