[ad_1]
Credit: IDG
If you own a Windows PC and a recent iPhone, the US government wants you to open the Windows Store today and make sure you have the latest version of the HEVC video codec.
The US government (specifically the Cybersecurity and Infrastructure Security Agency) has warned that the Microsoft Windows codec library includes a vulnerability that affects the way it handles objects stored in memory. Specifically, a specially designed image file could be used to remotely control your machine unless your PC is patched.
Many attacks on PCs require local access or the actual presence of a bad guy sitting at your keyboard. What concerns the US CISA is the presence of a HEVC file specifically designed to monitor your PC. And it is not a vain threat; Our colleagues at Macworld report that video recording using HEVC happens by default in iOS 11 and later, which means you probably won’t be suspicious of HEVC video attached to email or on the Internet.
If you don’t have an iPhone, you probably aren’t vulnerable. You will need to have downloaded the optional HEVC or “device manufacturer’s HEVC” media codecs from the Microsoft Store to be vulnerable.
To fix the problem, you will also need to download the updated codec from the Store. The patched versions of the codec include versions 1.0.32762.0, 1.0.32763.0 and later. To check if you have the updated version, go to the Windows 10 Settings menu, then to Apps and Features and then to HEVCY Advanced Options. You will see the version number there. You can also start PowerShell from Windows and type the following command to see the version number as well:
Get-AppxPackage -Name Microsoft.HEVCVideoExtension*US CISA also warns that a second, unrelated vulnerability applies to Visual Studio and a malformed JSON file. Although Visual Studio generally only applies to developers, if you are a user of that program, you will need to be careful with JSON files until Microsoft develops a patch.
[ad_2]
