Patch Now! Two Out of Band Patches Fix RCE in Windows

More info from Zdnet:

Hello - Will Automox be releasing a patch for this issue? ZDNet and the MS CVE both state customers don’t have to do anything. It will updated through MS Store.

FAQ

How do I get the updated Windows Media Codec?

Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update.

Alternatively, customers who want to receive the update immediately can check for updates with the Microsoft Store App; more information on this process can be found here.

The new patches should show up automatically in Automox. If you don’t see them in your environment, please let us know! Btw, you can search by CVE on the Software page, as an easy way to verify.

Just checking for the CVE myself but cannot seem to locate it in either Software or with the CVE ID filter via Devices. Any suggestions? I can PM you or contact support if you’d prefer? 🙂

Cheers!

I’m not seeing them either when I search. I’ll check in with the engineers and see if we can track down what’s going on.

Ok here’s what we found. While the two CVEs are coming in through the feed we use, there’s no patch payload attached. That’s why we initially thought the patches were live, but it looks like Microsoft hasn’t released them yet:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1457

If you look in the security section at the bottom of the page you’ll see all the download columns are blank.

Once the patches actually show up I’ll post back in here to let you know. Sorry about that!

Ok it looks like this one might have just been pushed out through the Microsoft Store rather than through Windows Update:

Which would explain why we’re not seeing it through the Windows Update feeds.

What about for people who block the windows store from their env? Any ideas how to grab this patch?

That is a very good question that I don’t know the answer to. Hopefully they’ll push it out via WU as well at some point. The vulnerability only affects devices that have the optional HEVC codec installed, so if you don’t have that on your systems then you don’t need the patches.

I believe that codec is only available through the MS Store, so they’re assuming that if you’ve downloaded it, you still have access to Store updates.

Thanks for chasing up Nic; appreciate it. 👌