What type of information could be disclosed by this vulnerability? An attacker who successfully exploited this vulnerability could potentially read small portions of heap memory. How do I get the updated app? The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately; see here for details. My system is in a disconnected environment; is it vulnerable? It is possible for customers to disable automatic updates for the Microsoft Store. The Microsoft Store will not automatically install this update for those customers. VLSC customers can visit the Volume Licensing Servicing Center to get the update https://www.microsoft.com/Licensing/servicecenter/. Customers using the Microsoft Store for Business and Microsoft Store for Education can get this update through their organizations. How can I check if the update is installed? App package versions 1.0.61591.0 and later contain this update. You can check the package version in PowerShell: Get-AppxPackage -Name Microsoft.VP9VideoExtensions According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send the user a malicious file and convince them to open it.
K24 Sec