ARN

US govt warns of remote attack against Windows PCs editing iPhone video

If you're an iPhone owner and use a Windows PC, go to the Windows Store and make sure you have the latest patch.
  • Mark Hachman (PC World (US online))
  • 20 October, 2020 16:00

If you own a Windows PC as well as a recent iPhone, the U.S. government wants you to open the Windows Store today and make sure that you have the most recent version of the HEVC video codec.

The US government (specifically the Cybersecurity and Infrastructure Security Agency) has warned that the Microsoft Windows Codecs Library includes a vulnerability that affects how it handles objects stored in memory. Specifically, a specially-crafted image file could be used to remotely take over your machine unless your PC is patched.

Many attacks against PCs require local access, or the actual presence of a bad guy sitting at your keyboard. What the US CISA is worried about is the presence of an HEVC file specifically designed to take over your PC. And it’s no idle threat; our colleagues at Macworld report that recording video using HEVC occurs by default on iOS 11 and later, meaning that you most likely won’t be suspicious of an HEVC video attached to an email or on the Internet.

If you don’t own an iPhone, chances are that you’re not vulnerable. You’ll need to have downloaded the optional HEVC or “HEVC from Device Manufacturer” media codecs from the Microsoft Store to be vulnerable.

To patch the problem, you’ll need to download the updated codec from the Store, too. The patched versions of the codec include versions 1.0.32762.0, 1.0.32763.0, and later. To check to see if you have the updated version, go to the Windows 10 Settings menu, then to Apps & Features and then to HEVC, and Advanced Options. You’ll see the version number there. You can also launch PowerShell from within Windows and type in the following command to see the version number, too: 

Get-AppxPackage -Name Microsoft.HEVCVideoExtension*

US CISA also warns that a second, unrelated vulnerability applies to Visual Studio, and a malformed JSON file. Although Visual Studio usually only applies to developers, if you’re a user of that program, you’ll need to be wary of JSON files until Microsoft develops a patch.